Flaw in iPhone, iPads may have allowed hackers to steal data for years

Thomson Reuters ^ | Wednesday, 22 April 2020 16:52 GMT | By Christopher Bing and Joseph Menn

[cba123]

WASHINGTON/SAN FRANCISCO, April 22 (Reuters) - Apple Inc is planning to fix a flaw that a security firm said may have left more than half a billion iPhones vulnerable to hackers.

The bug, which also exists on iPads, was discovered by ZecOps, a San Francisco-based mobile security forensics company, while it was investigating a sophisticated cyberattack against a client that took place in late 2019. Zuk Avraham, ZecOps' chief executive, said he found evidence the vulnerability was exploited in at least six cybersecurity break-ins.

An Apple spokesman acknowledged that a vulnerability exists in Apple's software for email on iPhones and iPads, known as the Mail app, and that the company had developed a fix, which will be rolled out in a forthcoming update on millions of devices it has sold globally.

[cba123]

First I had heard of this.

[cba123]

https://news.trust.org/item/20200422150323-tmca0

[George from New England]

Glad to hear that Apple has ‘features’ too.

[ProtectOurFreedom]

Reporting by Christopher Bing in Washingtong and Joseph Menn in San Francisco. Contributions from Jack Stubbs in London and Stephen Nellis in San Francisco; editing by Chris Sanders, Edward Tobin and Sonya Hepinstall.

SEVEN people worked on this article. Three of them did "editing." And still they couldn't find and fix the claim that the two primary reporters are in "Washingtong."

[IncPen]

For your list...

[867V309]

half a billion iPhones vulnerable to hackers.

sword swallower is behind the curve on this apple

[cba123]

Well to be fair, the article says “may” have.

[Grimmy]

My cynical self says... not a flaw but a design choice.

had to compete with all the other tech outfits in datamining for dollars.

[867V309]

Well to be fair, the article says “may” have.

nope, the headline says that.

Avraham said he found evidence that a malicious program was taking advantage of the vulnerability in Apple's iOS mobile operating system as far back as January 2018. He could not determine who the hackers were and Reuters was unable to independently verify his claim.

don't always believe weasel headlines...

[Scrambler Bob]

How does this jive with all the Law Enforcement complaints of iphones being totally ‘secure’.

[dayglored]

Hi Swordmaker,

If you can determine which versions of iOS (and if possible which versions of the Mail app) are vulnerable, please publish here.

I’m still using my old trusty 5c with 10.3.3 and no option to upgrade anything about it any more. I’m holding my breath for the upcoming re-release of the model SE. :-). But in the meantime....

[Swordmaker]

This is not the first time Avraham has made this claim. Nor is it the first time he’s made this unsupported assertion: “Avraham, a former Israeli Defense Force security researcher, said he suspected that the hacking technique was part of a chain of malicious programs, the rest undiscovered, which could have given an attacker full remote access.” Actually, no, it could not have.

The Mail App, like all other apps on iOS, runs in a sandbox, sequestered from all other apps and data. In addition, once the iPhone or IPad crashes and restarts, anything an App that crashed it will have been doing is flushed in the restart and the user is required to renter the passcode. To effect anything, an email must be first be opened, and In iOS, NOTHING in email runs automatically, no scripts, etc., so something in the email must be a link clicked on! It’s not automatic; it may look like an empty email, but its not.

ZEC is claiming 0 click and that it works on receipt of the email, and further that it works since iOS 11. I call BS on that. In fact, this looks exactly like the exact same claim they made last year. They claim they were working with Apple on a fix which was incorporated in the last iOS 13.4.5 beta as of April 15th, but if thats so, you don’t knife Apple in the back with a public press release before its actually rolled out! I suspect deliberate FUD.

In fact, ZEC does not even describe it as an “exploit” but always refer to it as a vulnerability, talking about suspicions that something “may” have happened. This was the exact same phrasing they used the last time they announced this “discovery.”

For all of this to work, according to ZEC, requires the attacker to have control of your email server. . . If thats the case, you’ve got more serious problems than someone getting access to some of your contacts and your photos.— PING!

APPLE iOS SECURITY PING!

If you want on or off the Apple/Mac/iOS Ping List, Freepmail me.

[Swordmaker]

“Patrick Wardle, an Apple security expert and former researcher for the U.S. National Security Agency, said the discovery "confirms what has always been somewhat of a rather badly kept secret: that well-resourced adversaries can remotely and silently infect fully patched iOS devices."

This quote is another indicator of this being FUD (Fear, Uncertainty, and Doubt). Wardle is the go to guy when you want a guaranteed anti-Apple security quote from a a so-called “expert.” He’s never had anything positive to say about Apple. He’s “former expert, will say FUD” on demand, results guaranteed or your money back! Wind the crank and it comes out. He’s no “Apple Security Expert” anything except in anti-Apple articles. . .

”Avraham based most of his conclusions on data from "crash reports," which are generated when programs fail in mid-task on a device. He was then able to recreate a technique that caused the controlled crashes.

Two independent security researchers who reviewed ZecOps' discovery found the evidence credible, but said they had not yet fully recreated its findings.”

Here is the nub. . . ZecOP’s work has NOT been peer reviewed or duplicated. AND it is apparent that Avraham does NOT have an in the wild example of an actual weaponized email message ever received by anyone, as he claims he “based his conclusion on crash reports” and then had to recreate a technique to duplicate” what he saw in the crash report!

To put this in English, everything beyond a vulnerability that could possibly be exploited as described, is PURE SPECULATION on Avraham’s part! HYPERBOLE!

[Loud Mime]

Thank You!

[867V309]

How does this jive with all the Law Enforcement complaints of iphones being totally ‘secure’.

old news

[doorgunner69]

As it happens, I cannot use Apple products, I am not ......

[cba123]

Yes. Thank you Swordmaster.

[867V309]

Yes. Thank you Swordmaster.

O what would would be fr without its drudge?

[cba123]

Drudge.

What a disappointment.

Used to read him daily. HUGE fan.

Now I go about once, every couple months. And even less, all the time.

Big, big disappointment.

[CJ Wolf]

Especially since he sold out to google.