Millions of iPhones vulnerable to nasty email hack — what to do now (updated)

iPhone hack
(Image credit: Tom's Guide)

UPDATED with comment from Apple. This story was originally published April 22, 2020.

Hackers have been remotely attacking iPhones with malicious email messages for at least two years, San Francisco-based security firm ZecOps reports. 

Apple plans to fix the underlying flaws in the upcoming release of iOS 13.4.5, but for now, all versions of iOS dating back to at least iOS 6 are vulnerable to these attacks. Because the attacks work only against Apple's own Mail app, you can protect yourself by deleting the app until the fix is issued.

But that might not be necessary. The attacks have so far been against only business leaders, journalists and corporate security firms, the type of valuable targets who are always at high risk of cyberattack from well-funded adversaries.

The attackers can use these exploits to "leak, modify, and delete emails," ZecOps said in a blog post Monday (April 20), but the attackers might also be able to get full device control with additional exploits. 

ZecOps researchers said that the exploits let hackers hijack an iPhone's processes by sending a very large email message, or a message that otherwise consumes a lot of system memory. If Apple's own Mail program runs out of memory, the attackers will be able to inject malicious code.

Exploits of two other bugs in iOS would be required for the exploits to fully work, but ZecOps is not releasing details of those bugs for now. (This story was first reported by Vice News.) 

Update: Apple responds

In correspondence with Bloomberg News reporter Mark Gurman April 23, Apple said that "these issues do not pose an immediate risk to our users." 

See more

Apple goes on to say that the flaws ZecOps found "are insufficient to bypass iPhone and iPad security procedures," and that "we have found no evidence they were used against customers."

That doesn't totally contradict what ZecOps said. As we saw above, the initial research report mentioned two other bugs necessary for the Mail hack to work. And just because Apple has no evidence of attacks involving these flaws doesn't mean they didn't happen.

Running out of memory

Eating up memory is not that hard to do on older iPhones that don't have a lot of RAM — for instance, 2017's iPhone X has only 3GB — but all models are vulnerable. However, the attack does not work on third-party email apps such as Gmail or Outlook.

Surprisingly, iOS 13 is arguably even more at risk from these attacks than older versions of iOS. That's because iOS 13 handles the back-end process of email processing in a different way. 

The result is that iOS 13 can be hacked as soon as an iPhone receives the malicious email message, and the phone will continue to function normally. No user interaction is needed.

In iOS 12 and earlier, it's easier to make the phone run out of RAM, but the iPhone's user must open the malicious message for the exploit to work, and the Mail app may then crash. In either situation, the attackers often remotely delete the email messages so that the targets won't see them on their devices.

High-profile targets

ZecOps said the attacks date back at least to January 2018, when iPhones running iOS 11.2.2 were successfully attacked. 

"It is possible that the attacker(s) were using this vulnerability even earlier," ZecOps said.

The targeted individuals, ZecOps said, have so far included "individuals from a Fortune 500 organization in North America, an executive from a [wireless] carrier in Japan, a VIP from Germany, MSSPs [managed security service providers] from Saudi Arabia and Israel, a journalist in Europe" and perhaps "an executive from a Swiss enterprise."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.