An unpatched, “zero click” vulnerability in iOS’s email system is being exploited in the wild and has been used to target high profile individuals in Germany, Israel, Japan, the US and Saudi Arabia, according to new research published by San Francisco-based security firm ZecOps.

In what it describes as “one of the deepest vulnerabilities ever discovered on mobile (including Android)”, ZecOps said the vulnerability affects phones all the way back to the iPhone 6 (2012) through to the present, with the series of vulnerabilities actively triggered on OS 11.2.2 and potentially earlier.

Only the beta release of iOS 13.4.5 beta is patched.

Unpatched iPhone Zero Day

ZecOps is advising users unable to update to that beta release, to disable their Apple email applications and use alternative applications. (The vulnerability does not compromise the entire phone, just its email: “Attackers would require an additional infoleak bug & a kernel bug afterwards for full control”). 

The remote heap overflow vulnerability can be triggered remotely without any user-interaction (aka ‘0-click’) on iOS 13; to attack iOS 12 phones, users need to click an email to be compromised, ZecOps said. Up to half-a-billion smartphones are believed to be vulnerable. The company has promised to publish a proof-of-concept (PoC) of the attack in the near future.

In detailed blog post describing its research on the vulnerability for clients, ZecOps said that after initially following responsible disclosure and notifying Apple on February 20, ZecOps said it re-analysed historical data and found “additional evidence of triggers in the wild on VIPs and targeted personas.”

Asked how it had identified this, ZecOps’ CEO Zuk Avraham suggested to Computer Business Review in a Twitter DM that some attacks had been learned by direct analysis of targeted phones, saying: “Our solution requires [us] to physically connect the phone to pull the data, we know some [of the attacks] directly, and some indirectly.” He did not add more detail. 

The company said: “We sent an email notifying the vendor [Apple] that we will have to release this threat advisory imminently in order  to enable organizations to safeguard themselves as attacker(s) will likely increase their activity significantly now that it’s patched in the beta.”

The exploit can be triggered owing to a vulnerability inNSMutableData (a dynamic byte buffer function that allows data contained in data objects to be copied or moved between applications) which sets a threshold of 0x200000 bytes. As ZecOps explains: “If the data is bigger than 0x200000 bytes, it will write the data into a file, and then use the mmap systemcall to map the file into the device memory. The threshold size of 0x200000 can be easily excessed, so every time new data needs to append, the file will be re-mmap’ed, and the file size as well as the mmap size getting bigger and bigger.”

Owing to error checking for system call ftruncate() which leads to the Out-Of-Bounds write and a second heap overflow bug that can be triggered remotely, an attacker merely needs to craft a special oversized email to trigger access, with the goal of making mmap to fail, ideally, a big enough email is going to make it happen inevitably. Vulnerabilities can be triggered using “other tricks” to make mmap fail, the security research team said.

The company noted:

  • “We have seen multiple triggers on the same users across multiple continents.
  • “We examined the suspicious strings & root-cause (such as the 414141…41 events and mostly other events):
    1. We confirmed that this code path do not get randomly triggered.
    2. We confirmed the registers values did not originate by the targeted software or by the operating system.
    3. We confirmed it was not a red team exercise / POC tests.
    4. We confirmed that the controlled pointers containing 414141…41, as well as other controlled memory, were part of the data sent via email to the victim’s device.
  • “We verified that the bugs were remotely exploitable & reproduced the trigger.
  • “We saw similarities between the patterns used against at least a couple of the victims sent by the same attacker.
  • “Where possible, we confirmed that the allocation size was intentional.
  • “Lastly, we verified that the suspicious emails were received and processed by the device – according to the stack trace and it should have been on the device / mail server. Where possible, together with the victims, we verified that the emails were deleted.”

“With very limited data we were able to see that at least six organizations were impacted by this vulnerability – and the potential abuse of this vulnerability is enormous. We are confident that a patch must be provided for such issues with public triggers ASAP.”

The news is the latest blow to the iPhone’s security reputation. It comes after security researchers at Google published a series of blogs on August 30 detailing five unique iOS exploit chains that were being exploited in the wild, apparently by a state actor targeting Uyghur activists.

Security researchers continue to say that Apple’s efforts to enforce control over security research by making devices hard to access by third-party researchers are damaging its security. Debugging work requires using specialist cables, developer-fused iPhones, and other equipment. (A Motherboard investigation puts the price for these cables at $2,000 on the grey market and a dev-fused iPhone XR at a chunky $20,000.)

Apple in August 2019 announced a major overhaul of its bug bounty programme in an effort to improve engagement. It is now available to all security researchers, rather than being invite only, and includes vulnerabilities in macOS, tvOS, watchOS, and iCloud. It says a $1m bounty is up for grabs for proof of a zero-click, full chain kernel code execution attack. Previously the bounty for zero-click vulnerabilities was set at $200,000.

Apple has been contacted for comment.

See also: iPhone vs Android: With a Side of Corporate Jostling and Espionage