ZecOps, a San Francisco-based mobile security forensics company, has discovered a pair of zero-day vulnerabilities in the Mail app on iPhone, iPads that hackers are abusing in the wild, at least, from the last two years to target individuals from various industries and organizations.
In a report published on Wednesday, ZecOps said it found evidence that both the vulnerabilities have been actively exploited by an “advanced threat operator” since 2018.
According to the researchers, both the vulnerabilities can be remotely exploited by the attackers by simply sending an email to victims’ default iOS Mail application on their iPhone or iPad.
Both flaws mainly affect the latest iPhone software, iOS 13.4.1, though ZecOps says the vulnerability has existed since at least iOS 6, which was released in September 2012.
“The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13,” wrote researchers.
Also Read- iPhone’s Fingerprint Lock Can Be Bypassed Using 3D Printed Fingerprint
When the user attempted to open the email message it would crash the iPhone allowing hackers to gain entry into the device giving them access to confidential information. In some versions of iOS, the hack can be triggered when the Mail app automatically downloads a message’s data, without the recipient having to click on anything for their devices to be infected.
The bugs in question are remote code execution flaws that reside in the MIME library of Apple’s mail app.
The first vulnerability is out-of-bounds (OOB) write bug vulnerability. Researchers said affected library is “/System/Library/PrivateFrameworks/MIME.framework/MIME” with the vulnerable function “[MFMutableData appendBytes:length:]”
“[The] the implementation of MFMutableData in the MIME library lacks error checking for system call ftruncate() which leads to the Out-Of-Bounds write. We also found a way to trigger the OOB-Write without waiting for the failure of the system call ftruncate,” the researchers said.
The second flaw, a heap-overflow issue, can also be triggered remotely.
“Both the OOB Write bug, and the Heap-Overflow bug, occurred due to the same problem: not handling the return value of the system calls correctly,” the researchers wrote.
“The remote bug can be triggered while processing the downloaded email, in such scenario, the email won’t get fully downloaded to the device as a result.”
According to the researchers, both bugs have been exploited in the wild. However, they believe “the first vulnerability (OOB Write) was triggered accidentally, and the main goal was to trigger the second vulnerability (Remote Heap Overflow).”
The vulnerabilities were discovered by ZecOps while exploring a sophisticated cyberattack against a client that took place in late 2019. According to Zuk Avraham, founder, and CEO of ZecOps, the vulnerabilities were exploited in at least six cybersecurity break-ins.
“With very limited data, we were able to see that at least six organizations were impacted by this vulnerability – and the full scope of abuse of this vulnerability is enormous,” the researchers said.
“While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as the main identifier.”
ZecOps was able to identify several targets in the attacks (given below):
- Individuals from a Fortune 500 organization in North America
- An executive from a carrier in Japan
- A VIP from Germany
- MSSPs from Saudi Arabia and Israel
- A Journalist in Europe
- Suspected: An executive from a Swiss enterprise
ZecOps notified the Apple security team about the vulnerabilities in February. Last week, Apple released the beta 13.4.5 version of iOS that contained security patches for both zero-day vulnerabilities. A fix for millions of iPhone and iPad users is set to arrive in the next publicly available iOS update in iOS and iPadOS 13.4.5 .
Apple INC. said it has found no evidence that hackers are exploiting this vulnerability.
“We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users,” the Cupertino, California company said. “The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.” Apple said.
In the meantime, we strongly recommend Apple users to not use the default Mail app on their smartphones and instead switch to Outlook or Gmail apps until the iOS update is released.
Researchers at Cisco Talos cybersecurity group demonstrated how they were able to trick and bypass the fingerprint authentication systems on phones, laptops, and other devices by using fake fingerprints created with 3D printing technology and textile glue.
According to researchers, Paul Rascagneres and Vitor Ventura, the printed fake fingerprints were tested on a wide range of devices and they were able to achieve roughly an 80% success rate on average.
There are three main types of fingerprint sensors: capacitive, optical and ultrasonic. Each of these sensors operates slightly differently depending upon the material and collection methods used in the mould.
The most common type is capacitive, which uses the body’s natural electrical current to read the fingerprints, while optical sensors use light to scan and create an image of a finger. Ultrasonic sensors, the newest type and frequently used for on-screen sensors, use ultrasonic waves to bounce off a physical object, in this case, a finger; the echo is read by the fingerprint sensor, which makes ultrasonic sensor the easiest to bypass.
“Our tests showed that — on average — we achieved an ~80 percent success rate while using the fake fingerprints, where the sensors were bypassed at least once. Reaching this success rate was difficult and tedious work. We found several obstacles and limitations related to scaling and material physical properties,” Vitor Ventura and Paul Rascagneres of Talos explained in their research analysis .
“Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the pin unlocking. The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”
The researchers used a 3D printer to create molds and cured them in a UV chamber. They used the molds to create fake fingerprints and then cast them onto materials that included silicon and fabric glue.
“During our tests, it became clear that the material used is a determining factor depending on the kind of sensor, especially when comparing sonic with capacitive sensors. To increase our success rate, we used silicon and different kinds of glue, mixed with conductive (graphite and aluminum) powder,” they said.
The researchers had a budget of $2,000 as well as 13 smartphones, laptops, and other devices for the testing process. To start the testing process, the researchers used infamous gangster Al Capone’s publicly available fingerprints as an example. Mobile devices proved to be the best targets, as most people commonly use fingerprint sensors on their devices.
“These devices were also the targets of some of the first research into fingerprint authentication, which should give this platform more maturity in the technology. However, the results show that mobile phone fingerprint authentication has weakened compared to when it was first broken in 2013,” they said.
The fake fingerprints were successfully tested by the researchers on iPhone 8, Samsung S10, Huawei P30 Lite, MacBook Pro 2018, iPad 5th Gen, Samsung Note 9, Honor 7X, and an AICase Padlock. However, they were unable to access the Samsung A70 phone, the Lexar Jumpdrive Fingerprint F35, or the Verbatim Fingerprint Secure USB-encrypted pen drive.
The researchers concluded that fingerprint authentication is adequate for the majority of the population considering the process to bypass it is very complex, time-consuming and expensive for an everyday person to pull off.
“For a regular user of fingerprint authentication, the advantages are obvious, and it should be used. However, if the user is a more high-profile or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication,” they wrote.
