Researchers Say They Caught an iPhone Zero-Day Hack in the Wild

In the summer of 2016, researchers at a digital rights organization and a cybersecurity firm announced they had caught one of the rarest fish in the cybersecurity ocean—an in the wild attack against an iPhone, using unknown vulnerabilities inside Apple’s vaunted operating system. Since then, only a handful of similar attacks have been caught and publicly disclosed.

Now, a small startup said it has caught another one.

ZecOps, a company based in San Francisco, announced on Wednesday that a few of its customers were targeted with two zero-day exploits for iOS last year. Apple will patch the vulnerability underlying these attacks on an upcoming release of iOS 13.

“We concluded with high confidence that it was exploited in the wild,” Zuk Avraham, the founder of ZecOps, told Motherboard. “One of [the vulnerabilities] we clearly showed that it can be triggered remotely, the other one requires an additional vulnerability to trigger it remotely.”

“These vulnerabilities,” ZecOps researchers wrote in a report they published Wednesday, “are widely exploited in the wild in targeted attacks by an advanced threat operator(s) to target VIPs, executive management across multiple industries, individuals from Fortune 2000 companies, as well as smaller organizations such as MSSPs.”

One of the two vulnerabilities, according to Avraham, is what's known as a remote zero-click. This kind of attack is dangerous because it can be used by an attacker against anyone on the internet, and the target gets infected without any interaction—hence the zero-click definition.

Vulnerabilities or exploits called zero-days are bugs in software or hardware that are unknown to their manufacturers and can be used to hack targets. They can be particularly effective attacks because they use flaws that are not patched yet, meaning there’s no code deployed to specifically defend against them.

iPhone zero-days, while not unprecedented, are some of the most expensive vulnerabilities on the open market because they are relatively rare, highly sought after, and can be used against a huge number of targets because lots of people have iPhones, and most of them with the same version of iOS. When zero-days are made public, they are often patched very quickly, meaning that these exploits are held very close to the vest by those exploiting them. Often, the people who develop zero-days are huge hacking companies and government intelligence agencies, who are sophisticated actors and know how to cover their tracks. Therefore, it is rare for them to be discovered “in the wild” meaning actively being used against specific targets. On Tuesday, another cybersecurity firm said it found iOS malware that used exploits for iOS 12.3, 12.3.1, and 12.3.2, which are older versions of Apple’s operating system.

Apple says the ZecOps zero-days have been patched in the latest iOS beta release, and will be patched in the upcoming iOS public update.

Avraham said he and his team investigated a series of suspicious crashes on customers’ iPhones in the summer and fall of 2019. Once they looked into them, they realized they had been triggered by a hack that leveraged unknown vulnerabilities. The hackers had sent an email that triggered the vulnerability and allow them to execute code in the iPhone’s default Mail app.

Surprisingly, the emails that triggered the hack were not found on the targets’ iPhones, according to Avraham, who thinks the hackers deleted them after the attack to cover their tracks.

The hackers were “someone who wants to get privileged access” to his customers, Avraham said. He suspected they were working for a nation state that had purchased the exploits from a third party, and said ZecOps is aware of at least one “hackers-for-hire” organization selling attacks that use email as main identifier, but declined to provide any other evidence.

“It's someone who’s spending budgets on buying exploits but they don’t really have the technical capabilities to change those exploits for better OPSEC," Avraham said.

To verify that his customers were targeted with zero-days, Avraham and his researchers used the information they learned from the attack to reproduce the zero-days in their lab, and tested that they effectively worked. The company then reported their findings to Apple at the end of March, according to Avraham.

Motherboard could not verify that this zero-day was in fact used in the wild, but Apple patched it in the current iOS beta and will patch it in the next public release. Independent experts who reviewed ZecOps’ research believe the firm’s assessment.

“We have all the pieces that likely indicates a vulnerability that’s being actively exploited,” Patrick Wardle, a former NSA hacker and now an expert in Mac security, told Motherboard.

Avraham declined to disclose many details about who the targets were, and did not say whether they lost any data as a result of the attacks, but said “we were a bit surprised about who was targeted.” He said some of the targets were an executive from a telephone carrier in Japan, a “VIP” from Germany, managed security service providers from Saudi Arabia and Israel, people who work for a Fortune 500 company in North America, and an executive from a Swiss company.

Dan Guido, the CEO of Trail of Bits, a cybersecurity firm in New York that specializes in iOS security, said that one of the zero-days found by ZecOps “is something you see so rarely on mobile devices and iOS,” given that it’s remote and doesn’t require the victims to click on anything.

On the other hand, this is not as polished a hack as others, as it relies on sending an oversized email, which may get blocked by certain email providers. Moreover, Avraham said it only works on the default Apple Mail app, and not on Gmail or Outlook, for example. (Google did not respond to a request for comment asking whether it would block such emails. Microsoft declined to comment.)

“There’s a time and a place for smash and grab and there’s a time and a place for a sneak in,” said a veteran who has been dealing zero-days for years, referring to the fact that this attack is not as stealthy as others he has seen. “This is a Toyota Camry of bugs. It’ll get ya there, no problem. But it’s not a Ferrari.”

The veteran, who asked to remain anonymous because he wasn’t allowed to speak to the press, said that highly sophisticated spy agencies would deem a bug like this too risky to use against a “a high value target.”

In any case, the disclosure of these hacks is likely to reignite the debate over whether Apple is doing enough to secure the iPhone, and whether the company should make changes to iOS to allow defenders to be better at detecting and stopping attacks. Security researchers who focus on iOS have long asked Apple to allow them to look deeper into iOS code, and allow for special permissions for apps such as iVerify, that are designed to monitor hacks against the iPhone, but have limited capabilities as of today, due to Apple’s restrictions.

“As our detection techniques for iOS get better we’re likely to find more attacks like this one. This is not the only zero-day for iOS that’s floating around,” said Guido, whose company makes iVerify, an app designed to detect iPhone hacks. “There are very few people in the world that can defend against these kinds of attacks.”

Even if that is true, as we have explained in the past, it’s worth noting that these are targeted attacks. This particular example is not a case of a mass hack that affects hundreds of thousands of people, at least as far as we, or anyone else knows at this point. If you’re worried about someone using this zero-day against you, delete the default Mail app from your phone.

UPDATE, April 24, 3:46 PM: On Thursday evening, Apple sent out a statement responding to ZecOps' research. This is the full statement:

"Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”

Subscribe to our new cybersecurity podcast, CYBER.