Apple released test patches for the vulnerabilities in the iOS 13.4.5 beta, and the fix should enter wide release soon.
Even though the vulnerabilities ZecOps disclosed couldn’t be exploited for fundamental control on a target device, an attacker could still build a so-called “exploit chain” using the Mail bugs as just the first link to mount an invasive attack. And iOS security researcher and Guardian Firewall creator Will Strafach points out that while Apple and ZecOps are correct about the limited utility of the Mail bugs alone, it’s still important to take these types of bugs seriously.
“A zero-click like this is especially interesting because it is not a full exploit chain, yet due to the nature of how it works, it could enable something like a smash-and-grab for mailbox data. Even the prospect of copying emails then self-deleting the crafted ‘attack email’ is quite scary.”
The vulnerabilities ZecOps discovered would be difficult to exploit reliably, and the firm found indications of the attacks in crash logs and other digital remnants on some of its clients' iPhones. But the attackers left other clues behind, indicating that they didn’t feel the need to be maximally cautious and that they were satisfied with using a somewhat down and dirty zero-click.
The fact that Apple has been unable to independently verify that the bugs were exploited in the wild is not surprising, says Patrick Wardle, a former National Security Agency analyst and Apple security researcher at the firm Jamf.
“It is unlikely that if this vulnerability was used in highly targeted attacks that Apple would find evidence of such attack,” Wardle says. “Either way, it would be helpful for Apple to articulate how they came to this conclusion.”
Even the crudest zero-click attacks leave little trace, which makes tracking them an issue. Security analysts say that in many cases, the very features that make software more secure often make zero-click attacks harder to detect.
For example, researchers from Google's Project Zero published findings in August that Apple's iMessage had vulnerabilities that could potentially be exploited by simply sending someone a text. The messaging platform's end-to-end encryption, which protects data as it moves across the internet so it is only readable on the sender and receiver's devices, would make it difficult for Apple or security monitoring firms to detect if attackers were sending customized zero-click messages on the platform.
This doesn't undermine the necessity of defenses like end-to-end encryption, Wardle says. But he notes that these challenges underscore the importance of raising awareness about interactionless attacks and working to develop detection capabilities. As ZecOps is trying to demonstrate, crash logs can be fertile ground for incident responders looking for abnormalities that could indicate malicious activity. The NSA has at times taken a specific interest in collecting and retaining crash logs, according to information leaked in 2013 by Edward Snowden. Given that the agency develops hacking tools for its digital espionage work, this initiative could have been related to novel vulnerability discovery, attack detection, or perhaps both.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4