Share

• Copy link
• Facebook
• X
• Reddit
• Email

Share this article

Join the conversation

Follow us

Add us as a preferred source on Google

Newsletter

Get the Tom's Guide Newsletter

Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

---

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

---

Want to add more newsletters?

Daily (Mon-Sun)

Tom's Guide Daily

Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.

Signup +

Weekly on Thursday

Tom's AI Guide

Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!

Signup +

Weekly on Friday

Tom's iGuide

Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.

Signup +

Weekly on Monday

Tom's Streaming Guide

Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.

Signup +

---

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore

---

An account already exists for this email address, please log in.

Subscribe to our newsletter

UPDATED with comment from Apple. This story was originally published April 22, 2020.

Hackers have been remotely attacking iPhones with malicious email messages for at least two years, San Francisco-based security firm ZecOps reports. 

Apple plans to fix the underlying flaws in the upcoming release of iOS 13.4.5, but for now, all versions of iOS dating back to at least iOS 6 are vulnerable to these attacks. Because the attacks work only against Apple's own Mail app, you can protect yourself by deleting the app until the fix is issued.

• Best iPhones: Get your Apple mobile fix
• New:  iPhone SE 2020 review — The best cheap phone ever

But that might not be necessary. The attacks have so far been against only business leaders, journalists and corporate security firms, the type of valuable targets who are always at high risk of cyberattack from well-funded adversaries.

The attackers can use these exploits to "leak, modify, and delete emails," ZecOps said in a blog post Monday (April 20), but the attackers might also be able to get full device control with additional exploits. 

ZecOps researchers said that the exploits let hackers hijack an iPhone's processes by sending a very large email message, or a message that otherwise consumes a lot of system memory. If Apple's own Mail program runs out of memory, the attackers will be able to inject malicious code.

Exploits of two other bugs in iOS would be required for the exploits to fully work, but ZecOps is not releasing details of those bugs for now. (This story was first reported by Vice News.) 

Update: Apple responds

In correspondence with Bloomberg News reporter Mark Gurman April 23, Apple said that "these issues do not pose an immediate risk to our users." 

Apple goes on to say that the flaws ZecOps found "are insufficient to bypass iPhone and iPad security procedures," and that "we have found no evidence they were used against customers."

That doesn't totally contradict what ZecOps said. As we saw above, the initial research report mentioned two other bugs necessary for the Mail hack to work. And just because Apple has no evidence of attacks involving these flaws doesn't mean they didn't happen.

Running out of memory

Eating up memory is not that hard to do on older iPhones that don't have a lot of RAM — for instance, 2017's iPhone X has only 3GB — but all models are vulnerable. However, the attack does not work on third-party email apps such as Gmail or Outlook.

Surprisingly, iOS 13 is arguably even more at risk from these attacks than older versions of iOS. That's because iOS 13 handles the back-end process of email processing in a different way. 

The result is that iOS 13 can be hacked as soon as an iPhone receives the malicious email message, and the phone will continue to function normally. No user interaction is needed.

In iOS 12 and earlier, it's easier to make the phone run out of RAM, but the iPhone's user must open the malicious message for the exploit to work, and the Mail app may then crash. In either situation, the attackers often remotely delete the email messages so that the targets won't see them on their devices.

High-profile targets

ZecOps said the attacks date back at least to January 2018, when iPhones running iOS 11.2.2 were successfully attacked. 

"It is possible that the attacker(s) were using this vulnerability even earlier," ZecOps said.

The targeted individuals, ZecOps said, have so far included "individuals from a Fortune 500 organization in North America, an executive from a [wireless] carrier in Japan, a VIP from Germany, MSSPs [managed security service providers] from Saudi Arabia and Israel, a journalist in Europe" and perhaps "an executive from a Swiss enterprise."