Apple Inc plans to fix an error that, according to a security company, has left more than half a billion iPhones vulnerable to hackers.
The bug, which also occurs on iPads, was discovered by Zuk Avraham, chief executive of San Francisco-based forensic mobile security company ZecOps, while investigating an advanced cyber-attack against a customer in late 2019. Avraham said he had found evidence that the vulnerability had been exploited in at least six cybersecurity breaches. An Apple spokesperson acknowledged that there is a vulnerability in Apple’s email software on iPhones and iPads, known as the Mail app, and that the company has developed a solution that will roll out to millions in an upcoming update devices that it has sold worldwide.
Apple declined to comment on Avraham’s investigation, which was released on Wednesday, suggesting that the error could be caused from a distance and that it has already been exploited by hackers against high-profile users. Avraham said he found evidence that a malicious program exploited the vulnerability in Apple’s iOS mobile operating system as early as January 2018. He was unable to identify who the hackers were, and Reuters was unable to independently verify his claim.
To execute the hack, Avraham said the victims would receive a seemingly blank email message through the Mail app, causing a crash and reset. The crash opened the door for hackers to steal other data on the device, such as photos and contact details. ZecOps claims the vulnerability allowed hackers to steal data from iPhones remotely, even if they were using recent versions of iOS. On its own, the error would allow access to everything the Mail app had access to, including confidential messages.
Avraham, a former Israeli defense force security researcher, said he suspected that the hacking technique was part of a series of malicious programs, the rest undiscovered, that could have given an attacker full remote access. Apple declined to comment on that prospect. Avraham based most of his conclusions on data from “crash reports”, which are generated when programs fail on a device in the middle of a task. He was then able to mimic a technique that caused the controlled crashes.
Two independent security researchers who reviewed the discovery of ZecOps found the evidence credible, but said they had not completely mimicked the findings due to time constraints. Patrick Wardle, an Apple security expert and former investigator for the US National Security Agency, said the discovery “confirms what has always been a rather poorly kept secret: that well-equipped opponents can infect fully patched iOS devices remotely and silently. “
Since Apple was not aware of the software bug until recently, it could have been very valuable to governments and contractors offering hacking services. Exploitation programs that work without warning against an up-to-date phone can be worth over $ 1 million. While Apple is largely regarded as a high standard for digital security within the cybersecurity industry, any successful hacking technique against the iPhone can affect millions due to the global popularity of the device. In 2019, Apple said there were approximately 900 million iPhones active.
Bill Marczak, a security researcher at Citizen Lab, a Canada-based academic security research group, called the discovery of vulnerabilities “scary”. & # 39; Often you can take comfort in the fact that hacking is preventable & # 39; says Marczak. & # 39; With this bug, it doesn’t matter if you have a PhD in cybersecurity this will eat your lunch. & # 39;
(This story has not been edited by staff and is automatically generated from a syndicated feed.)
News
