Attacking iOS Devices through Mobile Mail

-
Figure | Failure of the attack will result in suspicious contentless emails (Source: ZecOps)
American cybersecurity startup ZecOps recently announced that it has discovered two new zero-day vulnerabilities on the iOS system, one of which is more serious, allowing attackers to trigger remotely through the email application that comes with iPhone and iPad, causing the application or device to crash and restart, And then the attacker can run remote code and obtain private mail. In the whole process, the user does not even need to perform any operation, even click on the email, which is very difficult to detect and prevent. Researchers said that these vulnerabilities not only exist in the latest iOS 13, but its occurrence date can be traced back to the era of iOS 6 at the earliest when the iPhone 5 was released in 2012. However, there is no similar problem with the computer system MacOS.

     Figure | The affected system version can be traced back to iOS 6 in 2012 (Source: ZecOps)

After investigation, the company also discovered that its network security monitoring platform first caught the attack that exploited the vulnerability in January 2018. The system version is iOS 11.2.2, and many users have already recruited it. It is likely that there was an earlier attack that was not caught, because no matter whether the attack is successful or not, users will hardly notice anomalies in daily use, except for occasional crashes or sudden crashes in the mail application. At present, an Apple spokesperson has admitted that the vulnerability exists, saying that the company has developed a patch to fix the above problems in the iOS 13.4.5 Beta version. If you do not want to update Beta, you need to wait for the next official update.

Since iOS 6 and later versions are affected, ZecOps recommends that an updated iPhone and iPad users temporarily disable the system ’s own mailbox application and use third-party mailbox applications such as Gmail or Outlook. "We are convinced that the vulnerability has been widely exploited by hackers. The target of the attack includes a German VIP customer, a Japanese telecommunications company executive and a North American 500 company executive, etc.," ZecOps founder Zuk Avraham said. I have seen these vulnerabilities in six cybersecurity incidents. " Zuk Avraham is a former IDF security researcher. He suspected that the vulnerability may be part of malware targeting Apple devices. He claimed that the ZecOps team also found evidence of attacks against employees of five companies in Japan, Germany, Saudi Arabia, and Israel. No detailed information disclosed.

Figure | Apple's patch code for the vulnerability has been added to iOS 13.4.5 Beta (Source: ZecOps)

The ZecOps survey report showed that the researchers first discovered a problem in a system call function of the MIME library used by the mailbox application. This function does not perform a return value error check, which will cause memory out-of-bounds write problems. Following the situation, they discovered another more serious heap overflow problem. As long as the memory is consumed in a specific way, it will cause a heap overflow and cause the application or system to crash. It is worth noting that although it consumes memory, the attack mail does not necessarily need to be several GB in size. As long as you use specific techniques and formats, such as specially designed RTF text, you can achieve memory consumption for similar purposes.

Using the second vulnerability, an attacker can send an email to crash the device and restart it, and then run the code remotely. The potential damage and trigger probability depend on the device model, memory size, and system version. On the latest iOS 13, due to the logic changes in processing memory and files, as long as the attack is launched, the user will trigger without any action, which is a "zero-click" vulnerability. But on iOS 12, users need to click on the email to trigger the attack. In the experiment, the researchers found that iOS 6 to iOS 13 will be affected by the vulnerability, as long as the hardware model can run the corresponding iOS version, it will also be affected, no matter how large the RAM. They analyzed the suspicious data in the iOS system crash report, and then successfully reproduced the controllable device crash through technical means. If the attack fails, the user will receive an email with the general content "This message cannot be displayed" or "This message has no content."

If the attack is successful, the mailbox application may flashback, and then the device crashes, forcing a restart. Another possibility is that the device will not crash, but the running speed will temporarily slow down, but then the user will hardly notice any changes in daily use. Therefore, such attacks are very covert and can be tried multiple times. The attacker can then use the permissions of the mailbox application to run remote code, such as sending, obtaining, modifying, and deleting messages. If it cooperates with other undiscovered kernel permission vulnerabilities, the attacker may further obtain other information on the device, including control rights. From the actual case, after invading the device, the hacker will also delete suspicious mail from the device or mail server, reducing the chance of being detected by the user.

"When investigating the suspicious iPhone crash records of some customers last year, we realized that they were likely to have been hacked using unknown vulnerabilities," Avraham explained. "It is not an organized attack." According to Patrick Wardle, an Apple security expert and former researcher at the National Security Agency, this finding confirms that “there are always resource-rich hackers who can remotely and quietly attack iOS devices.” Some cybersecurity experts are currently trying to reproduce the vulnerability, but at least two independent security researchers believe that the evidence provided by ZecOps is credible. According to official data from Apple, about 900 million iPhones are active in 2019. Cybersecurity experts believe that its widespread popularity means that serious security breaches if abused, can cause losses in excess of millions of dollars. "This is by no means the only zero-day vulnerability that exists in the world. Few people can resist this kind of attack," commented Dan Guido, CEO of another cybersecurity company.

Zero-day vulnerability investigation report: https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/

Comments

Post a Comment

Please let me if you have any question

Popular posts from this blog

A "Super Magnetic Field" Can be Created on the Earth, Which is Equivalent to a Black Hole Magnetic Field

-
Image
  Beijing time October 10 news, according to foreign media reports, the latest research shows that scientists should be able to create a "super magnetic field" on the earth, equivalent to the magnetic field strength of black holes and neutron stars. According to the latest research report by Masakatsu Murakami, an engineer at Osaka University in Japan, and his colleagues, bombarding microtubes with lasers can generate very strong magnetic fields, which will be of great significance for the development of basic physics, materials science and astronomy research. On October 6, this research paper was published in the open access journal "Scientific Reports". Most of the magnetic fields on the earth, even artificial ones, are not particularly strong. Magnetic resonance imaging (MRI) used in hospitals usually produces 1 Tesla (equivalent to 10,000 Gauss). In comparison, the magnetic field generated by the compass needle swinging northward is 0.3-0.5 Gauss, which is the m...
Read more

Super Performance Intel Xeon 128-Core CPU Comes Out

-
Image
In particular, CEO Radoslav Danilak, who has 25 years of experience in the semiconductor industry, was founded by SandForce, a once-popular SSD control giant. He also personally served as CEO, was later acquired by Seagate, and later founded Skyera, and continued to study SSD control. Technology and then acquired by Western Digital in 2014. Tachyum Prodigy claims to be the world's first "universal processor" (universal processor) because it integrates for high-performance computing, AI artificial intelligence, DML deep mechanical learning, and interpretable in a single silicon chip based on a parallel multi-processor environment and can simplify the programming model and environment. The latest top model is Prodigy T6128, a single-channel single chip integrates 128 physical cores, out-of-order execution architecture, 4 instructions per clock cycle , supports 64-bit addressing, 512-bit vector operations, AI / ML vector and matrix multiplication acceleration, Virtualizatio...
Read more

Oracle Linux 7.9 released: Based on Linux 5.4 LTS and UEK 6 Enterprise Kernel Construction

-
Image
  As for the Linux 5.4 LTS long-term support kernel, it has introduced many new features and improvements to provide first-class hardware support. For example, use zero-copy network to improve network performance, support Btrfs / OCFS2 file system and DTrace, as well as security enhancement and virtualization support for AArch64 (ARM64) platform. UEK Release 6 includes all Cgroup v2 features of Linux 5.4 LTS, a new parallel optimization framework for CPU-intensive work, and kswapd and kexec for verifying the signature of kernel images. In addition, it supports NFS network file transfer, and can treat persistent memory as traditional RAM NVDIMM, NVMe structure/multipath support, pass-through commands, namespace write protection, and asynchronous namespace access improvements. Users who are currently using Oracle 7 major versions can obtain the Update 9 update through the official resource repository, or visit the official website to download the complete ISO installation image of Or...
Read more