Zuk Avraham, the chief executive and co-founder of ZecOps, said the code stood out because it wasn’t found on many other iPhones. Avraham and others at the company investigated it for months, eventually discovering that it was connected to a previously unknown flaw in Apple’s email app. It alerted Apple, which is in the process of fixing the flaw, he said.
In an emailed statement, Apple spokesman Todd Wilder said the security flaws ZecOps discovered “do not pose an immediate risk to our users” and would be addressed in a software update soon. He did not say when the fix would be made. He said the vulnerabilities in the Mail app alone would not be enough to bypass iPhone and iPad security protections and the company hasn’t found evidence that the holes were exploited by bad actors. However, a single security flaw is rarely enough to take control of an iPhone. Hackers often use exploits like the one ZecOps found in the Mail app in conjunction with other vulnerabilities to hack into iPhones.
The discovery of the flaw highlights a problem that has increasingly come to light in recent months. While Apple’s marketing claims its iPhones are better secured than the competition, its mobile operating system, called iOS, is particularly vulnerable to sophisticated attacks like the one that befell Amazon chief executive and founder Jeff Bezos last year. (Bezos owns The Washington Post.)
Like the attack suspected on Bezos’s phone, the hack that ZecOps says it discovered is referred to as a “zero click” attack. While less sophisticated attacks require the victim to click on a link, usually in a phishing email or text message, a zero click exploit requires no participation on the part of the victim. In this case, the perpetrators can send an email to the victim containing the malicious code. That code can then set off a chain reaction, called an “exploit chain,” that knocks down the phone’s defenses one-by-one, erasing its tracks along the way and making it nearly impossible to detect.
Avraham declined to name the clients he believes were targeted but said in a blog post Thursday that they include a Fortune 500 company in North America, a journalist in Europe, an executive in Japan and others.
ZecOps still has no idea who might have been behind the attacks that it says affected its clients, but Avraham said in an interview that he believes the attack was likely carried out by a nation-state or a deep-pocketed entity.
Apple makes it difficult for security researchers to find bugs in iPhones, which whittles down the number of people capable of prying into the operating system and increases the value of exploits, which are sold on the black market to the highest bidder. Those bidders include nation-states and third-party security companies that help deep-pocketed entities hack into their enemies’ iPhones. Once an exploit is successful, Apple’s locked-down security makes it nearly impossible for victims to know they’ve been hacked.
The murkiness of iOS makes the job of companies like ZecOps extremely difficult. Even with the ability to scan the logs of its clients’ iPhones, the company is often able only to theorize whether there’s been an attack, with varying degrees of certainty. That’s what makes its most recent discovery so rare. It was able to essentially reverse-engineer suspicious activity and use it to discover an unknown security exploit.
While the hack raises questions about whether iPhone users should use the built-in email app, removing it can create challenges. Even if an Apple customer deletes the app, there is no way to change the default email application to a competing app, such as Microsoft’s Outlook. Deleting the app can lead to a loss of functionality. For instance, clicking on an email link will no longer work and users will be greeted by a message from Apple requesting that they re-download the app.