Last week, the cybersecurity company ZecOps announced that it had discovered two significant vulnerabilities in the Mac, iPad, iPhone Mail application, which allow a hacker to remotely penetrate an iPhone or iPad and take full control of his mailbox. The security vulnerabilities affect Mac, iPad, iPhone Users and iOS 6 to iOS 13 operating systems, and according to the company, attacks that exploit these vulnerabilities have been occurring for about two years. The first sample was discovered in January 2018.
One of the vulnerabilities would allow a hacker to infect a remote iOS device by sending emails that consume a large amount of memory. The vulnerability is triggered without user interaction (“zero-click”) in iOS 13, and with a click to open the email in iOS 12. Another vulnerability would allow remote code execution. Successful exploitation of these vulnerabilities would allow an attacker to publish, modify, or delete users’ emails.
Although it remains to be determined whether these vulnerabilities have actually succeeded in compromising iOS users, this proves once again that iOS is not as safe as we think. Although Apple applies stricter policies for publishing applications on its official App Store, its devices can still be hacked in other ways: phishing campaigns, malicious certificates, man-in-the-middle attacks, or remote code execution embedded in malicious email campaigns, such as those described here. While users need to trust their operating system vendors, they also need to be wary of the increasing number of threats to mobile devices and take their own security measures, even on iOS.
Until a security patch is released, we recommend disabling the native messaging application and using other messaging clients.
Good to note that CheckPoint consumers remain protected (Enterprise):
- CloudGuard SaaS provides email security to ensure that accounts and devices are not compromised:
- Because the attack is a “zero-click” type attack that requires no user interaction, it must be blocked before it reaches the inbox. CloudGuard SaaS accounts in “Protect (Inline)” mode remain protected and do not require any user action.
- SaaS CloudGuard SaaS accounts in “Monitor” or “Detect and Prevent” mode after delivery should be switched to “Protect (Inline)” mode. This allows for quarantining emails before they reach the inbox and protects customers from this and other zero-day (and zero-click) attacks.
Customers using Check Point’s security gateways with the MTA feature enabled are also protected against these attacks. We recommend that you contact Check Point support for instructions on how to enable it.
- SandBlast Mobile provides unique mobile threat defense capabilities to protect against sophisticated mobile vulnerability exploits.
- When vulnerabilities are used as part of a chain of exploitation to gain full access to a device, and the device is jailbroken, SandBlast Mobile is able to detect the jailbreaking and send an alert to the user and administrator.
- If the attack is used to steal data from the mobile device and connect to a remote command and control server, the Anti-Bot feature of the network protection on the device blocks the communication.
- As soon as Apple publishes a security patch, SandBlast Mobile automatically applies it to the device.