New iPhone Zero-Day Discovered

Last year, ZecOps discovered two iPhone zero-day exploits. They will be patched in the next iOS release:

Avraham declined to disclose many details about who the targets were, and did not say whether they lost any data as a result of the attacks, but said “we were a bit surprised about who was targeted.” He said some of the targets were an executive from a telephone carrier in Japan, a “VIP” from Germany, managed security service providers from Saudi Arabia and Israel, people who work for a Fortune 500 company in North America, and an executive from a Swiss company.

[…]

On the other hand, this is not as polished a hack as others, as it relies on sending an oversized email, which may get blocked by certain email providers. Moreover, Avraham said it only works on the default Apple Mail app, and not on Gmail or Outlook, for example.

Tags: email, exploits, iPhone, patching, zero-day

Posted on April 22, 2020 at 9:12 AM • 14 Comments

Comments

Phaete • April 22, 2020 10:42 AM

6,250.00 dollars a month to protect 3 devices.

They also have their own “Bug hunting program”, which explains timelime and fix debits (shortages? not sure for the right word).

Nice that they found the bug, but this is one of the companies i categorise as parasitic.

myliit • April 22, 2020 11:02 AM

How big does the attachment have to be?

Is now the time to switch to Android, or is Android worse for non rocket scientists?

myliit • April 22, 2020 11:06 AM

Oops, email OR attachment regarding large email size. For example from OP:

“On the other hand, this is not as polished a hack as others, as it relies on sending an oversized email, which may get blocked by certain email providers. Moreover, Avraham said it only works on the default Apple Mail app, and not on Gmail or Outlook, for example.”

Tom • April 22, 2020 11:01 PM

Joseph D. Brogdon smells of spam.

me • April 23, 2020 1:59 AM

I’m not surprised about the targets. iOS remote code execution 0-day exploits cost about two million dollars on the black market. You don’t burn such exploit by attacking random targets all over the world. You go from the top and you stop attacking more tergets before your operation is too large to hide.

Clive Robinson • April 23, 2020 7:02 AM

Hmm what sprongs to mind is “so what?”.

If people applied a little logic to the securiry side they would realise that no matter how hard Apple try to keep people out of their lucrative “walled garden” people are going to get in. The more Apple tries to stop this the more they drive forward the market against them. It’s why those “no click zero days” are so expensive.

Look at it this way, finding zero click zero days is a little like bitcoin mining, you might get one by chance but the more you chase the more you have to invest and a million bucks does not get you very much these days.

Thus arguably even the Apple Market in such vulnerabilities is under valued in real terms. The fact Apple is one of the big offenders of finding excuses not to pay for bugs or devalue their worth to next to nothing gives you a big clue why the money in such vulnerabilities is selling surveillance software to represive regimes who are prepared to pay hundreds of thousands of dollars for access to each phone of select targets.

People should realise that the whole design from the ground up in consumer phones is actually insecure by default. Adding software security to poorly designed hardware is a known way of failing to achive security indefinitely.

But Apple has always been about “style over substance” this century, thus the follow on is it’s also “style over security”.

Apple just play at security because that what gives them the price differential by those who don’t know any better.

Thus the real story if people go looking for it is Apple trying to buy up small security firms to put them out of business to keep the illusion of security. When that fails as we can see Apple go to court to try to begger such organisations out of existance.

People should learn the leason,

No consumer level phone is secure, because they are just not designed that way. So get your security in more reliable ways.

It’s also true of those supposadly “secure applications” they can not be secure because what is below them in the computing stack is not secure, so end run attacks makes the vulnerable not just some but all of the time.

myliit • April 23, 2020 3:58 PM

Many mail providers, of course, have their own apps. Should Apple users be using them instead?

https://www.washingtonpost.com/technology/2020/04/23/apple-hack-mail-iphone/

“… The murkiness of iOS makes the job of companies like ZecOps extremely difficult. Even with the ability to scan the logs of its clients’ iPhones, the company is often only able to theorize whether there’s been an attack, with varying degrees of certainty. That’s what makes its most recent discovery so rare. It was able to essentially reverse-engineer suspicious activity and use it to discover an unknown security exploit.

While the hack raises questions about whether iPhone users should use the built-in email app, removing it can create challenges for users. Even if an Apple customer deletes the app, there is no way to change the default email application to a competing app, such as Microsoft’s Outlook. Deleting the app can lead to a loss of functionality. For instance, clicking on an email link will no longer work and users will be greeted by a message from Apple requesting that they re-download the app.”

lurker • April 23, 2020 4:40 PM

I was in China May 34 2014[1] when G- Search, Maps, Webmail and most other G-services were blocked. I thought I was lucky that Apple’s Mail.app used IMAP-TLS ports, not https, and kept on working for gmail. Looks like maybe somebody has been working on that reduced attack area…