iPhone zero-days, while not unprecedented, are some of the most expensive vulnerabilities on the open market because they are relatively rare, highly sought after, and can be used against a huge number of targets because lots of people have iPhones, and most of them with the same version of iOS. When zero-days are made public, they are often patched very quickly, meaning that these exploits are held very close to the vest by those exploiting them. Often, the people who develop zero-days are huge hacking companies and government intelligence agencies, who are sophisticated actors and know how to cover their tracks. Therefore, it is rare for them to be discovered “in the wild” meaning actively being used against specific targets. On Tuesday, another cybersecurity firm said it found iOS malware that used exploits for iOS 12.3, 12.3.1, and 12.3.2, which are older versions of Apple’s operating system.Apple says the ZecOps zero-days have been patched in the latest iOS beta release, and will be patched in the upcoming iOS public update.
Do you work in exploit development or trade zero-days? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Avraham said he and his team investigated a series of suspicious crashes on customers’ iPhones in the summer and fall of 2019. Once they looked into them, they realized they had been triggered by a hack that leveraged unknown vulnerabilities. The hackers had sent an email that triggered the vulnerability and allow them to execute code in the iPhone’s default Mail app.
”This is not the only zero-day for iOS that’s floating around.”
In any case, the disclosure of these hacks is likely to reignite the debate over whether Apple is doing enough to secure the iPhone, and whether the company should make changes to iOS to allow defenders to be better at detecting and stopping attacks. Security researchers who focus on iOS have long asked Apple to allow them to look deeper into iOS code, and allow for special permissions for apps such as iVerify, that are designed to monitor hacks against the iPhone, but have limited capabilities as of today, due to Apple’s restrictions.“As our detection techniques for iOS get better we’re likely to find more attacks like this one. This is not the only zero-day for iOS that’s floating around,” said Guido, whose company makes iVerify, an app designed to detect iPhone hacks. “There are very few people in the world that can defend against these kinds of attacks.”Even if that is true, as we have explained in the past, it’s worth noting that these are targeted attacks. This particular example is not a case of a mass hack that affects hundreds of thousands of people, at least as far as we, or anyone else knows at this point. If you’re worried about someone using this zero-day against you, delete the default Mail app from your phone.UPDATE, April 24, 3:46 PM: On Thursday evening, Apple sent out a statement responding to ZecOps' research. This is the full statement:"Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”Subscribe to our new cybersecurity podcast, CYBER.
“This is a Toyota Camry of bugs. It’ll get ya there, no problem. But it’s not a Ferrari.”