–
The important security flaw concerns all devices that have housed iOS since at least version 6 released in 2012. It has been exploited since at least January 2018 against particular personalities, and probably for much longer than that.
This is known as a zero day flaw, which is particularly rare because it was completely unknown to the manufacturer’s engineering teams before it was revealed by a third-party service. This important security flaw is all the more serious since it is present in the iOS operating system, which has been used on hundreds of millions of iPhones and iPads, since at least 2012.
According to researchers from California cybersecurity company ZecOps, which unveiled it on Wednesday, the flaw is present on smartphones and tablets supporting iOS 6 and later versions.
The Mail application as a gateway for hackers
The American firm Apple officially recognized the presence of this resounding flaw and indicated that it would be corrected as soon as the update to iOS 13.4.5 is installed.
The ZecOps researchers said that this very serious vulnerability allows hackers to install malicious software discreetly, and without any action on the part of the user. The process is almost undetectable, since it is not even necessary to click on a link or download an infected file.
In fact, the victim receives a seemingly empty email which causes the Mail application to slow down or sometimes crash. In the background, a back door is created which allows the attacker to access data from the smartphone or tablet: in particular photos and contacts saved in the “Mail” application.
Several victims identified
The vulnerability had gone unnoticed during all these years, until the researchers carried out the autopsy of an attack which had targeted one of their clients.
These 0 click vulnerabilities that had in the wild triggers exists on iOS since (hold your breath)… iOS 6 !! This is one of the deepest vulnerabilities ever discovered on mobile (including Android). https://t.co/4mjXsPfrKM
– Zuk (@ihackbanme) April 22, 2020
In its publication, ZecOps claims that personalities have been victims of this attack since at least January 2018, and cites a list as an example, without the possibility of verifying the information: leaders of large American companies, an executive ” a Japanese operator, a German VIP, a European journalist, in particular.
The fault has undoubtedly been exploited for years by states with substantial resources and highly qualified pirates. Pending the release of an iOS update, it is recommended that you no longer use the native email application.
The technical details are available at: https://t.co/z3rHHifbTi
We will release the POCs soon– Zuk (@ihackbanme) April 22, 2020
–
