Apple iPhone May Be Vulnerable to Email Hack
April 22 2020 - 8:29AM
Dow Jones News
By Robert McMillan
Sophisticated hackers may be attacking Apple Inc. iPhones by
exploiting a previously unknown flaw in the smartphone's email
software, according to a digital-security company that has
investigated the incidents.
Attacks on the devices that traditionally have enjoyed a solid
reputation for safeguarding personal data date back at least two
years and would have been virtually undetectable by victims, Zuk
Avraham, chief executive of ZecOps Inc., the San Francisco-based
cybersecurity company that detected and analyzed the hacks told The
Wall Street Journal.
The intrusions are hard to detect because of the sophisticated
nature of the attack, and Apple's own security measures, which can
sometimes make investigating the devices a challenge, according to
ZecOps.
Typically phone hacks require a user to take a specific action
to download malware, such as clicking on a message, or visiting a
website. In this case, hackers have found a way to install
malicious software without the recipient doing anything.
Hackers would send a specially crafted email message to gain
access to the recipient's device, Mr. Avraham said. The bug is
triggered when the message is downloaded by the phone's email
reader, without further action by the recipient, he said.
ZecOps based its analysis on digital clues left after an attack
within the iPhone's operating system, rather than the malware
itself. The company was unable to obtain the malicious code because
the emails used to launch the attacks had been deleted from
victims' devices, Mr. Avraham said.
The attack marks the latest setback for Apple iPhone security,
which had long been considered the gold-standard for protection of
customer data on smartphones. The iPhone's reputation has suffered
over the past year as security researchers have uncovered a series
of attack tools--called exploits--that can be used to gain
unauthorized access to the iPhone by leveraging bugs in the phone's
software. Hackers typically use exploits to install software on the
phone that can then download emails, messages, photos and other
sensitive information.
ZecOps so far identified six targets for the attacks based on
the email vulnerability, whom Mr. Avraham declined to name. They
include, he said, employees of a telecommunications company in
Japan, a large North American firm, technology companies in Saudi
Arabia and Israel, a European journalist and an individual in
Germany.
The ZecOps evidence of continuing attacks is compelling,
although short of being definitive, said Patrick Wardle, a security
researcher at mobile-security company Jamf Software LLC, who has
examined ZecOps report on the bug. But it does show that Apple has
a serious security issue that needs to be fixed, he said.
Apple appears to have taken steps to fix the flaw. The U.S. tech
giant has patched the mail bug in a test version of its iPhone
operating system, but the fix hasn't yet been widely released
through an official IOS update, Mr. Avraham said.
Since the iPhone's introduction in 2007, Apple has spent
millions of dollars developing and promoting it as a secure
computing device. Experts such as Mr. Wardle consider it to be the
most secure consumer device built today.
Still, on Tuesday, Reston, Va.-based security firm Volexity Inc.
said that between January and March of this year, hackers had
placed a new exploit on websites serving China's minority Uighur
community, a group some Western officials say are being persecuted
by Beijing, a charge the Chinese government denies. The company
fixed that flaw last summer.
The data vulnerability Volexity found leveraged a flaw in
Apple's browser. For it to work, the user would have to have
visited a website controlled by the hackers while using a mobile
phone that was running an older version of Apple's operating
system, including IOS 12.3, 12.3.1, and 12.3.2 software. Apple
patched the flaw in version 12.4. Apple's current has deployed IOS
version 13.4.1.
On its website, Apple says that about 30 percent of users are
not using the latest version of its IOS. Many of these users would
be vulnerable to this attack, said Steven Adair, Volexity's
founder.
An Apple spokesman declined to comment on the Volexity
research.
The attack echoes an earlier weakness in iPhone security that
Google researchers disclosed in August. Those attacks infiltrated
the smartphones of people who visited a small group of hacked
websites. The attack code Google's researchers uncovered took
advantage of a total of 14 iPhone bugs. At the time, Apple said
that the attacks uncovered by Google weren't widespread, affecting
"fewer than a dozen websites that focus on content related to the
Uighur community."
Because mobile phones contain some of their owner's most
sensitive information--their photos, contacts, text messages and
even details of their movements--it is particularly worrisome when
they are hacked, Mr. Adair said.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
April 22, 2020 08:14 ET (12:14 GMT)
Copyright (c) 2020 Dow Jones & Company, Inc.
Apple (NASDAQ:AAPL)
Historical Stock Chart
From Mar 2024 to Apr 2024
Apple (NASDAQ:AAPL)
Historical Stock Chart
From Apr 2023 to Apr 2024