ZecOps discovers current iOS mail app vulnerability that has been exploited in the wild

Posted on Apr 23, 2020 by Caleb Chen
iphone ipad ios mail app vulnerability

A zero-click security vulnerability has been found that leaves hundreds of millions of iPhones and iPads vulnerable to remote code execution. The vulnerability affects iOS 13 through the MobileMail app. The same security vulnerability exists in iOS 12 through the maild app, but requires the target to click on the email. The security vulnerability allows an attacker to essentially take over your iPhone or iPad by sending a specific type of email that is then processed automatically by Apple’s Mail App. This type of vulnerability is known as a heap overflow vulnerability. Apple is working on a fix that will be released with the next public update to iOS 13. In the meantime, iPhone and iPad users are vulnerable as it’s impossible for the default Mail App daemon to be turned off without rooting your iOS device. The vulnerability was discovered by security firm ZecOps. In their blogpost, they summarized the issue:

“The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory.”

Mail App vulnerability has existed for years, and has been exploited in the wild

According to ZecOps, this Mail App vulnerability has existed since iOS 6 – at least. It’s entirely possible that earlier versions of iOS were vulnerable to the same exploit, but the researchers haven’t tested it. The earliest confirmed use of this exploit dates back to January 2018 and occurred on iOS 11. Users targeted with this attack wouldn’t notice anything besides a temporary slowdown of their mail app. If the attack attempt fails, the iOS device would show the following error message:

“This message has no content.”

Which is a message that most iPhone and iPad users have seen before and are comfortable ignoring without being concerned. Based on their research, ZecOps is confident in saying that this vulnerability has been exploited in the past years and specifically noted that the following have been hacked due to this vulnerability:

  • Individuals from a Fortune 500 organization in North America
  • An executive from a carrier in Japan
  • A VIP from Germany
  • MSSPs from Saudi Arabia and Israel
  • A Journalist in Europe

ZecOps also suspects that a Swiss businessman was targeted with this exploit. Additionally, ZecOps has noted that attacks using this exploit can be tied to at least one “nation-state threat operator or a nation-state.” Patrick Wardle, an Apple security expert, commented to Reuters about the discovery:

“[it] confirms what has always been somewhat of a rather badly kept secret: that well-resourced adversaries can remotely and silently infect fully patched iOS devices.”

This isn’t the first security flaw found in iOS 13 and likely won’t be the last. Bill Marczak, a security researcher from Canada’s Citizen Lab also commented on the widespread impact of this vulnerability and how hard it would be for the average user to mitigate it prior to its disclosure:

“A lot of times, you can take comfort from the fact that hacking is preventable. With this bug, it doesn’t matter if you’ve got a PhD in cybersecurity, this will eat your lunch.”

iPhone and iPad users might be wondering what they can do in the downtime before Apple releases their fix to the public. 9 to 5 Mac suggests using a different mail app to handle mail on your iOS device while ZecOps notes that everyone should update to the new version of iOS 13 as soon as it is available.