• In Apr 2020, Apple acknowledge the report about an exploit in the iOS Mail app 
  • A new report from a mobile forensics firm revealed more details about the iPhone exploit
  • The first trigger of the exploit could have been around ten years ago and could affect over 900M iPhones, according to a new report

In Apr 2020, the Cupertino tech giant confirmed that each iPhone released in the past eight years is defenseless against a particular remote attack. This attack is launched using an exploit in the iOS Mail app. Apple downplayed the exploit last month, noting that there is no evidence of exploits, but it is now singing a different tune confirming that millions of iPhone users could be hit by one of the longest-running iOS vulnerabilities.

Decade-Long iPhone iOS Vulnerability

A recent report from the security specialist ZecOps revealed more details about this iOS vulnerability. According to the report, this vulnerability in the iOS Mail app has long been existing in every single iPhone ever released, with its first possible trigger already around a decade earlier. In 2019, the Cupertino tech giant confirmed 900 million active iPhones, which means almost a billion iPhone units are susceptible to this attack.

In April, ZecOps revealed that the bug is not limited to iPhone but also iPads and other devices running on the Apple iOS. The mobile security forensics company also disclosed that the vulnerability enabled attackers to do a lot of things to infected devices. It includes remotely stealing data from iPhone and iPad devices even if they are running on the latest iOS build.

Apple, expected to see sharp declines in iPhone sales, unveiled its entry-level smartphone last week which could help limit the damage
Apple, expected to see sharp declines in iPhone sales, unveiled its entry-level smartphone last week which could help limit the damage Apple Inc. / Handout

Other Details

Moreover, the bug could have allowed hackers to gain access to whatever the iOS Mail App accessed, including sensitive and confidential messages. ZecOps CEO Zuk Avraham said that “We continued our research of the MailDemon vulnerability.” The executive added that “We were able to prove that this vulnerability can be used for Remote Code Execution. Unfortunately, a patch is still not available.”

Additionally, the CEO believes that “One thing is certain, there were triggers in the wild for this vulnerability since 2010,” the company explains. ZecOps first reported the triggers and vulnerability in Oct 2010, which exposed the iPhone and iPad devices running on iOS 3.1.3 at that time. According to an Apple security expert and former researcher for the US National Security Agency Patrick Wardle, the discovery “confirms what has always been somewhat of a rather badly kept secret: that well-resourced adversaries can remotely and silently infect fully patched iOS devices.”

The Cupertino tech giant is reportedly working on the fix of the said iOS Mail app vulnerability. It might roll out the said fix along with the release of iOS 13.5.