A new iOS vulnerability made public on the 23rd of April 2020 which allows hackers to take over an iPhone with no user interaction through a sophisticated security flaw in Apple's built-in email app that Apple hasn't yet fixed, accordingly to research by a Cyber Security firm ZecOps.
The attack has reports to be delivered via email affecting the Apple iPhone Mail application in every version of iOS.
We have found no instance of the attack in any of our clients' inboxes.
Please be aware Apple has not produced patch, but for now, it seems have been a targeted attack. What this means is that hackers are highly likely to take advantage of this time.
Please be advised that client mailboxes that are managed by Cloud E Systems are protecting against this threat as our cloud email security solution is filtering before hitting your inbox.
Zero-Click: This attack method is dangerous as it doesn't require user interaction. The vulnerability lies in the way the Mail application handles the email.
The vulnerability grants the attacker full access to install any software on the phone remotely. Apple has created a fix to block this attack, but it is still unreleased as of iOS 13.4.1. Until it is patched, the recommendation is to disable the iOS Mail app.
Why You Should Care
- Now that the attack has been made public, it is likely to be used by attackers.
- Please be aware that Gmail or Office 365 will not be filtering these email threats at this present moment as its not a widespread issue yet.
- The threat needs to be stopped before hitting you mailbox / iPhone so having a comprehensive cloud email filtering solution is crucial.
What Can I Do?
- Inform those using the iOS native email client of this vulnerability and recommend that they move to different email client for iOS or only use the desktop application or web clients, which are not affected.
- Instruct users to update their iPhones as soon as the fix is available.
- Speak to your Managed Service Provider or IT company to ensure all preventative measures are in place.
For more technical information on the attack, read original ZecOps report.