Serious Vulnerability Found in Almost All iPhones


Joanna Lee

According to a recent update by ZecOps, the vulnerability was found to have been able to affect even the first iPhone (aka iPhone 1 / iPhone 2G) on iOS 3.1.3.

Joanna Lee, Multimedia Editor

Recently, a serious vulnerability issue within Apple iPhones has been uncovered by San Francisco-based security firm ZecOps. The issue lies within the iPhone’s default mail app. The vulnerability is stated to have the ability to gain access through an inconspicuous email that is sent to the victim’s inbox and can remotely execute unsigned code and run malicious 3rd party programs all at a click of a button. 

The main entry points of attack were found through crashes caused by a failure in the ftruncate() and truncate() system call and also through a remote heap overflow in MFMutable. More information regarding the Crash Logs and analysis can be found on the ZecOps post regarding this issue.

ZecOps posted an infographic their main blog, condensing most of the critical information into one image.

The sent emails are said to consume significant amounts of memory in the process, although the vulnerability can be triggered before the entire email is downloaded and read. The mail contents are usually destroyed upon execution of the attacks so any evidence will not remain on the device. ZecOps also states that the attacker could possibly delete any other emails in the inbox however this has not yet been confirmed. 

ZecOps states that if an attack was successful, users would most likely experience a “temporary slowdown of the mobile application” and possibly a crash, however, it would probably not be noticeable. In a failed attempt, emails would appear in the victim’s inbox with the message “This message has no content.” On iOS 12 and earlier, victims would have been required to click on the email to execute the attacks, however users on iOS 13 and newer will be affected as soon as they open up the mail app.

Affected iPhones include those that are currently on software version iOS 6-13.4.1. All of the iPhones listed within that range have been tested to be vulnerable, including the most recent iOS update, iOS 13.4.1. iPhones with versions earlier than iOS 6 (released in 2012) may be vulnerable as well however they have not yet been tested.

In another graphic, ZepOcs advises users to use alternative mail applications and to disable the mail app until the issue is fixed by Apple.

Upon discovering this news, Senior Eric Vo states, “It was definitely very concerning. Privacy and security is something that we all value and how it could be so easily violated is something everyone wants to avoid.” 

The announcement of this issue could possibly be a wake-up call to millions of iPhone users who are misled to believe that iPhones and many Apple products in general are “unhackable” and that it’s impossible to receive a virus on an iPhone. Vo adds, “I think that this is something that should be managed by Apple as soon as possible because there are many people who aren’t always up to date with information like this and may be at higher risk.”

The attack involves specifically crafted emails that are sent to a known email address. Most of those who were targeted mainly consisted of individuals from famous “Fortune 500” organizations in North America and several other influential people. 

Although the attacks were mostly targeted at significantly wealthy individuals, the widespread nature of this issue has likely alerted thousands of other hackers to the existence of this issue, possibly putting millions and millions of ordinary iPhone users at risk. It has been reported that Apple will be fixing this in the iOS 13.4.5 update so attackers will likely take advantage of this tool while they still can.

The first incidents regarding this specific vulnerability have been reported back January 2018, however, this issue was actually known for more than 10 years due to the fact that Apple did not offer bug bounties at the time. The subject regarding Apple and bug bounties has been a topic of controversy for several years and is said to encourage users to withhold crucial information regarding serious security issues and exploits due to lack of a reward or compensation for their findings. 

 ZecOps advised iPhone users to update their phones as soon as a new update is released. In the meantime, users should delete the mail app and use alternatives such as Gmail or Outlook instead. The majority of iPhones currently in use today run on iOS 6 and newer so millions of people are potentially at risk.