Apple says devices’ flaw to be fixed

Reuters, WASHINGTON and SAN FRANCISCO





Apple Inc is planning to fix a flaw that a security firm said might have left more than 500 million iPhones vulnerable to hackers.

The bug, which also exists on iPads, was discovered by ZecOps, a San Francisco-based mobile security forensics company, while it was investigating a sophisticated cyberattack against a client that took place late last year.

ZecOps chief executive officer Zuk Avraham said he found evidence that the vulnerability was exploited in at least six cybersecurity break-ins.

People hold iPads outside an Apple Store in Pasadena, California, on March 14. Photo: Reuters

An Apple spokesman acknowledged that a vulnerability exists in Apple’s software for e-mail on iPhones and iPads, known as the Mail app, and that the company had developed a fix, which would be rolled out in a forthcoming update on millions of devices it has sold globally.

Apple declined to comment on Avraham’s research, which was published on Wednesday, that suggests the flaw could be triggered from afar and that it had already been exploited by hackers against high-profile users.

Avraham said he found evidence that a malicious program was taking advantage of the vulnerability in Apple’s iOS for mobile as far back as January 2018.

He could not determine who the hackers were and reporters were unable to independently verify his claim.

To execute the hack, Avraham said that targets would be sent an apparently blank e-mail message through the Mail app forcing a crash and reset. The crash opened the door for hackers to steal other data on the device, such as photographs and contact details.

ZecOps said that the vulnerability allowed hackers to remotely steal data off iPhones even if they were running recent versions of iOS.

By itself, the flaw could have given access to whatever the Mail app had access to, including confidential messages.

ZecOps found that the Mail app hacking technique was used against a client last year.

Avraham described the targeted client as a “Fortune 500 North American technology company,” but declined to name it.

ZecOps also found evidence of related attacks against employees of five other companies in Japan, Germany, Saudi Arabia, and Israel.

Avraham based most of his conclusions on data from “crash reports,” which are generated when programs fail in mid-task on a device. He was able to recreate a technique that caused the controlled crashes.

Two independent security researchers who reviewed ZecOps’ discovery found the evidence credible, but said that they had not yet fully recreated its findings.

While Apple is largely viewed within the cybersecurity industry as having a high standard for digital security, any successful hacking technique against iPhones could affect millions of people due to the device’s global popularity.

Apple last year said that there were about 900 million iPhones in use.