By Christopher Bing, Joseph Menn

WASHINGTON/SAN FRANCISCO (Reuters) – Apple Inc (AAPL.O) is planning to fix a flaw that a security firm said may have left more than half a billion iPhones vulnerable to hackers.

The bug, which also exists on iPads, was discovered by ZecOps, a San Francisco-based mobile security forensics company, while it was investigating a sophisticated cyberattack against a client that took place in late 2019. Zuk Avraham, ZecOps’ chief executive, said he found evidence the vulnerability was exploited in at least six cybersecurity break-ins.

An Apple spokesman acknowledged that a vulnerability exists in Apple’s software for email on iPhones and iPads, known as the Mail app, and that the company had developed a fix, which will be rolled out in a forthcoming update on millions of devices it has sold globally.

Apple declined to comment on Avraham’s research, which was published on Wednesday, that suggests the flaw could be triggered from afar and that it had already been exploited by hackers against high-profile users.

Avraham said he found evidence that a malicious program was taking advantage of the vulnerability in Apple’s iOS mobile operating system as far back as January 2018. He could not determine who the hackers were and Reuters was unable to independently verify his claim.

To execute the hack, Avraham said victims would be sent an apparently blank email message through the Mail app forcing a crash and reset. The crash opened the door for hackers to steal other data on the device, such as photos and contact details.

ZecOps claims the vulnerability allowed hackers to remotely steal data off iPhones even if they were running recent versions of iOS. By itself, the flaw could have given access to whatever the Mail app had access to, including confidential messages.

Avraham, a former Israeli Defense Force security researcher, said he suspected that the hacking technique was part of a chain of malicious programs, the rest undiscovered, which could have given an attacker full remote access. Apple declined to comment on that prospect.

ZecOps found the Mail app hacking technique was used against a client last year. Avraham described the targeted client as a “Fortune 500 North American technology company,” but declined to name it. They also found evidence of related attacks against employees of five other companies in Japan, Germany, Saudi Arabia, and Israel.

Avraham based most of his conclusions on data from “crash reports,” which are generated when programs fail in mid-task on a device. He was then able to recreate a technique that caused the controlled crashes.

Two independent security researchers who reviewed ZecOps’ discovery found the evidence credible, but said they had not yet fully recreated its findings.

Patrick Wardle, an Apple security expert and former researcher for the U.S. National Security Agency, said the discovery “confirms what has always been somewhat of a rather badly kept secret: that well-resourced adversaries can remotely and silently infect fully patched iOS devices.”

Because Apple was not aware of the software bug until recently, it could have been very valuable to governments and contractors offering hacking services. Exploit programs that work without warning against an up-to-date phone can be worth more than $1 million.

While Apple is largely viewed within the cybersecurity industry as having a high standard for digital security, any successful hacking technique against the iPhone could affect millions due to the device’s global popularity. In 2019, Apple said there were about 900 million iPhones in active use.

Bill Marczak, a security researcher with Citizen Lab, a Canada-based academic security research group, called the vulnerability discovery “scary.”

“A lot of times, you can take comfort from the fact that hacking is preventable,” said Marczak. “With this bug, it doesn’t matter if you’ve got a PhD in cybersecurity, this will eat your lunch.”

Reporting by Christopher Bing in Washingtong and Joseph Menn in San Francisco.

Affiliate News Feeds

  • Hardware
  • Internet of Things
  • Networking
  • Industry News
  • Software

The tech titan Amazon used its show in Las Vegas to talk about watery matters, supply chains and much more. The post AWS re:Invent 2022: A tiered tour of technology… [...]

In a recent interview with Ravi Pendekanti, SVP of Product Management & Marketing at Western Digital, he explained how they have expanded their HDD technology to lower total cost of… [...]

Our picks for the top Amazon Cyber Week deals to ease the stress of those who work from home. The post 5 Amazon Cyber Week deals sure to make remote… [...]

IIoT can be a revelation when implemented successfully, but companies may run into obstacles. Here’s what IIoT is and the top five obstacles associated with using it. The post Top… [...]

Learn how Internet of Things technology has continued to support digital transformation for organizations across industries. The post Top 5 trends to watch in industrial IoT appeared first on TechRepublic. [...]

UK-based IoT connectivity platform provider seeks élan and style by snapping up French firm. The post Wireless Logic continues acquisition spree with IoThink Solutions deal appeared first on TechRepublic. [...]

Consider securing your remote work setup with a three-year subscription to a top VPN. Windscribe Pro is more than 70% off today only. The post Lock in 3 years of… [...]

Virtualization platforms are available from a number of vendors, but it’s still critical to maintain your virtualization environment to avoid unnecessary resource consumption, out of-compliance systems or applications, data loss,… [...]

The company’s products seek to address real-time data transport, edge data collection instruments. The post NVIDIA unveils supercomputing and edge products at SC22 appeared first on TechRepublic. [...]

An account takeover (ATO), in which criminals impersonate legitimate account owners to take control of an account, are on the rise in Asia and across the world. Fraudsters are swindling… [...]

Experts warn that API attacks will soon become the most common type of web application attack. As a result, organizations and their security vendors need to align across people, processes,… [...]

Research shows that web applications and API attacks continued to explode in the first half of 2022. Does your organization have the best defense today? Akamai recommends deploying a holistic… [...]

See how to integrate the Trello software with Google Mail for a much simpler project management workflow. The post How to integrate Trello with Gmail appeared first on TechRepublic. [...]

Read how to install the Trello app in macOS and why it will make your project management even easier. The post How to install the Trello app on macOS and… [...]

Find out if one of these top seven Wrike alternatives are an ideal project management solution for you and your team. The post Top 7 Wrike alternatives for project and… [...]