Apple users beware!
The email app pre-installed on all iPhones and iPads is vulnerable to two critical flaws that let attackers spy on unwitting victims.
The flaws could allow remote hackers to secretly take complete control of Apple devices by simply sending an email to a specific person whose email account is synchronized within the Apple Mail app.
According to cyber security researchers at“ZecOps”, these are remote code execution flaws found in the MIME library of Apple’s Mail app.
Apple Mail hack: effects and details
- The iOS attack enables remote code execution capabilities and allows an attacker to take remote control of a device by sending emails that take up a lot of disk space
- The vulnerability does not necessarily require a large email – a normal email that can consume enough RAM should suffice. There are many ways to achieve such resource exhaustion, including RTF, multipart and other methods
- The attack can be triggered before an entire email is downloaded. Therefore, the email content does not necessarily remain on the device
- There is a possibility that the attackers have deleted remaining emails after a successful attack
- Vulnerability under iOS 13: Unsupported attacks (zero-click) under iOS 13 when the Apple Mail app is opened in the background
- Trigger for security vulnerability under iOS 12: The attack requires a click on the email. The attack is triggered before the content is rendered. The user will not notice anything unusual in the email itself
- Unsupported attacks on iOS 12 can be triggered (also known as Zero Click) if the attacker controls the mail server
- The security vulnerabilities have existed since at least iOS 6 (release September 2012), when the iPhone 5 was released
- The first attack attempts were discovered in January 2018 under iOS 11.2.2
Apple Mail Hack: The solution
iOS users should refrain from using Apple Mail in connection with confidential data with immediate effect and switch to an alternative email client. The public beta of iOS 13.4.5 provides a remedy and closes the security gap. According to Apple, the official version will be released shortly. Until then, agilimo consulting GmbH recommends deactivating the synchronization of email accounts in the native Apple email app. Synchronization can be switched off under “Settings” and “Passwords & Accounts”.
macOS not affected
Update: The Mail app on a Mac is not affected by the hack.
For alternative solutions for secure synchronization of PIM information (e-mail, contacts, calendar), please contact agilimo consulting GmbH: ? info@agilimo.de?+49 (0) 6028-94013-0
