Hackers may have been able to exploit and access iPads and iPhones for years through newly discovered vulnerabilities on Apple’s email software, research released this week by cybersecurity group ZecOps found.
According to ZecOps, hackers sent blank emails through the Mail app that caused it to slow down or crash, which then allowed the hackers to gain access to the device and steal data such as photos or contacts. The initial email that allowed them into the device would then be deleted to cover their tracks.
The company wrote that it assessed with “high confidence” that the vulnerabilities were used by “advanced threat operators,” including at least one nation state, to target certain iPhone and iPad users.
While Apple did not immediately respond to The Hill’s request for comment on the vulnerabilities, a spokesman for the company told Reuters that Apple will develop patches that will be rolled out on an upcoming software update.
ZecOps Founder and CEO Zuk Avraham told Reuters that his company had found evidence that the vulnerabilities were used by hackers at least six times to break into devices.
According to the report on the vulnerabilities, ZecOps discovered that the targets of the six attacks included a journalist in Europe, staffers at a North American Fortune 500 company, and a VIP from Germany, among others.
ZecOps wrote that the attacks began in early 2018 and that “it is likely that the same threat operators are actively abusing these vulnerabilities presently,” potentially doing so prior to 2018.
Avraham described the vulnerabilities in a tweet on Wednesday as “one of the deepest vulnerabilities ever discovered on mobile (including Android),” and said that the vulnerabilities were discovered dating back to the iOS 6 mobile operating system. This system was rolled out in 2012.
These 0 click vulnerabilities that had in the wild triggers exists on iOS since (hold your breath)... iOS 6!! This is one of the deepest vulnerabilities ever discovered on mobile (including Android). https://t.co/4mjXsPfrKM— Zuk (@ihackbanme) April 22, 2020