Last week saw contradictory claims about iPhone Mail vulnerabilities, with a security company claiming that they had been exploited in real-world attacks, and Apple stating that it can find no evidence of this.
Two leading security researchers have now weighed in on this, agreeing with Apple on one point, while stating it remains possible that the bugs have been exploited …
Everyone now appears to agree with one of Apple’s statements: that the iOS Mail app vulnerabilities discovered by ZecOps cannot be exploited on their own. Apple said:
The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections.
ZecOps accepts this, and it has been backed by other security researchers. However, as we noted last week, that doesn’t mean that they couldn’t have been exploited alongside other vulnerabilities in order to carry out a successful attack.
The denial is not a complete refutation of the claim. It may be the case that the specific vulnerabilities alone cannot bypass security safeguards, but that they can be combined with existing exploits in order to do so.
Wired reports that our take has now been echoed by two high-profile security researchers.
iOS security researcher and Guardian Firewall creator Will Strafach points out that while Apple and ZecOps are correct about the limited utility of the Mail bugs alone, it’s still important to take these types of bugs seriously.
“A zero-click like this is especially interesting because it is not a full exploit chain, yet due to the nature of how it works, it could enable something like a smash-and-grab for mailbox data. Even the prospect of copying emails then self-deleting the crafted ‘attack email’ is quite scary.”
Former NSA hacker Patrick Wardle agrees, making the point that absence of evidence is not evidence of absence, and saying it wouldn’t be surprising that Apple would be unable to detect these attacks even if they have taken place.
“It is unlikely that if this vulnerability was used in highly targeted attacks that Apple would find evidence of such attack,” Wardle says. “Either way, it would be helpful for Apple to articulate how they came to this conclusion.”
Even the crudest zero-click attacks leave little trace, which makes tracking them an issue. Security analysts say that in many cases, the very features that make software more secure often make zero-click attacks harder to detect […]
“We don’t see a lot of these zero click vulnerabilities exploited in the wild and that is because they’re so difficult to detect—it’s not because they’re not out there.”
If the iPhone Mail vulnerabilities have been exploited, however, this is mostly likely against specific, high-profile targets.