Computer security researchers have published a report indicating a vulnerability in the native email application on Apple® iPhones® and iPads®. This “zero-click” vulnerability enables bad actors to hack into devices by sending specially crafted emails. Once the emails are received and opened in the native Apple mail applications, perpetrators can exfiltrate data from the device, without having to rely on users to take further action.
As explained in additional reports, the vulnerability by itself enables exfiltration of other emails from the device. In combination with other exploits, it can further enable unwarranted access to other data stored on the device beyond email.
Multiple exploitation attempts have been noted, including against a number of Fortune 500 organizations in the US, executives in Japan and Switzerland, and others. The exploit has been seen on devices running iOS versions 12 and 13. The underlying vulnerability exists as far back as iOS version 6.
Apple has been notified of the vulnerability. A beta patch to address the vulnerability has been released. A full release is expected in the near future.
Exploitation of the discovered Apple iOS email application vulnerability is not considered widespread, but it has been used against prominent victims. While only recently uncovered, the vulnerability may have been in existence for several years. The “zero-click” nature of the exploit makes it particularly dangerous.
ACA recommends exercising extra caution to maintain email security when using Apple devices. Recommended actions include:
- Make sure all Apple devices are part of a company mandated patching program.
- Apply the patch in the upcoming release of IOS 13.4.5 as soon as it becomes available (Use Settings > General > Software Updates to check your current version for the availability of patches).
- Consider using alternate email applications such as Microsoft® Outlook® or Google®Gmail® on Apple devices. These applications are not vulnerable to the newly discovered exploit.
- Exercise vigilance in the use of email for confidential information.
- Be on the lookout for any unusual activity that may result from the exfiltration of data from company devices.
ACA is actively monitoring the developments related to COVID-19 and producing resources to help your firm address operational challenges created by this pandemic. Visit our COVID-19 Resources page to access all of the resources we've developed that may help your firm navigate through the restrictions in place to curb the pandemic.
How We Help
ACA offers the following solutions that can help firms enhance their cybersecurity in light of the announced Apple iPhone and iPad email vulnerability:
- Free Online Cybersecurity Training
- Phishing testing and cyber awareness
- Penetration testing and vulnerability assessments
- Threat intelligence
- Cyber incident response planning
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.