How iPhone bug may allow hackers to access users’ data

A security flaw in Apple’s mobile operating system allows hackers to install software on iPhones without getting the victim to download an attachment or click on any links, according to new research.

Cybersecurity experts say hackers may have been exploiting the as-yet unfixed bug in the iPhone’s Mail app since January 2018, The Times reports.

What are the hackers doing?

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

Typically, “an attack on a phone requires a user to download the malware”, usually by clicking on a link in a message or on an attachment sent by the hackers, explains The Times.

“Yet in this case, hackers send a blank email to the user. When the email is opened, a bug is triggered that causes the Mail app to crash, forcing the user to reboot it,” says the newspaper.

During the reboot, hackers can reportedly access information on the device, and remotely modify or delete emails.

How was it discovered?

The bug was discovered by San Francisco-based cybersecurity firm ZecOps, after researchers found suspicious lines of code on iPhones belonging to a client, The Washington Post reports.

Zuk Avraham, the company’s chief executive, told the newspaper that following months of investigations, his team realised that the code was connected to a previously unknown flaw in Apple’s email app.

ZecOps alerted Apple in March about the issue, he said.

Apple has since confirmed that a fix will be included in upcoming software updates, Reuters reports.

In a statement, the California-based tech giant said: “We have thoroughly investigated the researcher’s report, and based on the information provided, have concluded these issues do not pose an immediate risk to our users.

“The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.”

–––––––––––––––––––––––––––––––For a round-up of the most important stories from around the world - and a concise, refreshing and balanced take on the week’s news agenda - try The Week magazine. Start your trial subscription today –––––––––––––––––––––––––––––––

Could your iPhone have been hacked?

In a blog post explaining the research findings, ZecOps said that the firm’s experts had “high confidence” that the flaws may have been used in attacks conducted by “an advanced threat operator”.

However, most users probably have nothing to worry about.

The company added that “it had found evidence that the bug was used to attack well-known targets including individuals from a Fortune 500 company in North America, an executive from a mobile carrier in Japan, employees of technology companies in Saudi Arabia and Israel, a European journalist and an individual in Germany”, the BBC reports.

ZecOps did not disclose the identities of these alleged victims.