Skip to comments.
Flaw in iPhone, iPads may have allowed hackers to steal data for years
Thomson Reuters ^
| Wednesday, 22 April 2020 16:52 GMT
| By Christopher Bing and Joseph Menn
Posted on 04/22/2020 7:19:57 PM PDT by cba123
WASHINGTON/SAN FRANCISCO, April 22 (Reuters) - Apple Inc is planning to fix a flaw that a security firm said may have left more than half a billion iPhones vulnerable to hackers.
The bug, which also exists on iPads, was discovered by ZecOps, a San Francisco-based mobile security forensics company, while it was investigating a sophisticated cyberattack against a client that took place in late 2019. Zuk Avraham, ZecOps' chief executive, said he found evidence the vulnerability was exploited in at least six cybersecurity break-ins.
An Apple spokesman acknowledged that a vulnerability exists in Apple's software for email on iPhones and iPads, known as the Mail app, and that the company had developed a fix, which will be rolled out in a forthcoming update on millions of devices it has sold globally.
(Excerpt) Read more at news.trust.org ...
TOPICS: Business/Economy; Foreign Affairs; News/Current Events
KEYWORDS: apple; ios; ipad; iphone
Navigation: use the links below to view more comments.
first 1-20, 21-32 next last
First I had heard of this.
1
posted on
04/22/2020 7:19:57 PM PDT
by
cba123
To: cba123
2
posted on
04/22/2020 7:20:20 PM PDT
by
cba123
( Toi la nguoi My. Toi bay gio o Viet Nam.)
To: cba123
Glad to hear that Apple has ‘features’ too.
To: cba123
Reporting by Christopher Bing in Washingtong and Joseph Menn in San Francisco. Contributions from Jack Stubbs in London and Stephen Nellis in San Francisco; editing by Chris Sanders, Edward Tobin and Sonya Hepinstall.SEVEN people worked on this article. Three of them did "editing." And still they couldn't find and fix the claim that the two primary reporters are in "Washingtong."
To: Swordmaker
5
posted on
04/22/2020 7:45:11 PM PDT
by
IncPen
("Inside of every progressive is a Totalitarian screaming to get out" ~ David Horowitz)
To: cba123; Swordmaker
half a billion iPhones vulnerable to hackers.
sword swallower is behind the curve on this apple
6
posted on
04/22/2020 7:47:57 PM PDT
by
867V309
(Lock Her Up)
To: 867V309
Well to be fair, the article says “may” have.
7
posted on
04/22/2020 7:50:17 PM PDT
by
cba123
( Toi la nguoi My. Toi bay gio o Viet Nam.)
To: cba123
My cynical self says... not a flaw but a design choice.
had to compete with all the other tech outfits in datamining for dollars.
8
posted on
04/22/2020 7:51:27 PM PDT
by
Grimmy
(equivocation is but the first step along the road to capitulation)
To: cba123
9
posted on
04/22/2020 7:57:53 PM PDT
by
867V309
(Lock Her Up)
To: cba123
How does this jive with all the Law Enforcement complaints of iphones being totally ‘secure’.
10
posted on
04/22/2020 8:10:27 PM PDT
by
Scrambler Bob
(This is not /s. It is just as viable as any MSM 'information', maybe more so!)
To: Swordmaker
Hi Swordmaker,
If you can determine which versions of iOS (and if possible which versions of the Mail app) are vulnerable, please publish here.
Im still using my old trusty 5c with 10.3.3 and no option to upgrade anything about it any more. Im holding my breath for the upcoming re-release of the model SE. :-). But in the meantime....
11
posted on
04/22/2020 8:11:18 PM PDT
by
dayglored
("Listen. Strange women lying in ponds distributing swords is no basis for a system of government."`)
To: cba123; ~Kim4VRWC's~; 1234; 5thGenTexan; AbolishCSEU; Abundy; Action-America; acoulterfan; ...
This is not the first time Avraham has made this claim. Nor is it the first time hes made this unsupported assertion: Avraham, a former Israeli Defense Force security researcher, said he suspected that the hacking technique was part of a chain of malicious programs, the rest undiscovered, which could have given an attacker full remote access. Actually, no, it could not have.
The Mail App, like all other apps on iOS, runs in a sandbox, sequestered from all other apps and data. In addition, once the iPhone or IPad crashes and restarts, anything an App that crashed it will have been doing is flushed in the restart and the user is required to renter the passcode. To effect anything, an email must be first be opened, and In iOS, NOTHING in email runs automatically, no scripts, etc., so something in the email must be a link clicked on! Its not automatic; it may look like an empty email, but its not.
ZEC is claiming 0 click and that it works on receipt of the email, and further that it works since iOS 11. I call BS on that. In fact, this looks exactly like the exact same claim they made last year. They claim they were working with Apple on a fix which was incorporated in the last iOS 13.4.5 beta as of April 15th, but if thats so, you dont knife Apple in the back with a public press release before its actually rolled out! I suspect deliberate FUD.
In fact, ZEC does not even describe it as an exploit but always refer to it as a vulnerability, talking about suspicions that something may have happened. This was the exact same phrasing they used the last time they announced this discovery.
For all of this to work, according to ZEC, requires the attacker to have control of your email server. . . If thats the case, youve got more serious problems than someone getting access to some of your contacts and your photos. PING!
APPLE iOS SECURITY PING!
If you want on or off the Apple/Mac/iOS Ping List, Freepmail me.
12
posted on
04/22/2020 8:18:41 PM PDT
by
Swordmaker
(My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you hoplophobe bigot!)
Patrick Wardle, an Apple security expert and former researcher for the U.S. National Security Agency, said the discovery "confirms what has always been somewhat of a rather badly kept secret: that well-resourced adversaries can remotely and silently infect fully patched iOS devices."
This quote is another indicator of this being FUD (Fear, Uncertainty, and Doubt). Wardle is the go to guy when you want a guaranteed anti-Apple security quote from a a so-called expert. Hes never had anything positive to say about Apple. Hes former expert, will say FUD on demand, results guaranteed or your money back! Wind the crank and it comes out. Hes no Apple Security Expert anything except in anti-Apple articles. . .
Avraham based most of his conclusions on data from "crash reports," which are generated when programs fail in mid-task on a device. He was then able to recreate a technique that caused the controlled crashes. Two independent security researchers who reviewed ZecOps' discovery found the evidence credible, but said they had not yet fully recreated its findings.
Here is the nub. . . ZecOPs work has NOT been peer reviewed or duplicated. AND it is apparent that Avraham does NOT have an in the wild example of an actual weaponized email message ever received by anyone, as he claims he based his conclusion on crash reports and then had to recreate a technique to duplicate what he saw in the crash report!
To put this in English, everything beyond a vulnerability that could possibly be exploited as described, is PURE SPECULATION on Avrahams part! HYPERBOLE!
13
posted on
04/22/2020 8:39:18 PM PDT
by
Swordmaker
(My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you hoplophobe bigot!)
To: Swordmaker
14
posted on
04/22/2020 9:22:29 PM PDT
by
Loud Mime
("Now, go and do your duty before darkness covers the earth." Michael Uhlmann (1939 - 2019))
To: Scrambler Bob
How does this jive with all the Law Enforcement complaints of iphones being totally secure.
old news
15
posted on
04/22/2020 9:35:32 PM PDT
by
867V309
(Lock Her Up)
To: cba123
As it happens, I cannot use Apple products, I am not ......
16
posted on
04/22/2020 9:43:06 PM PDT
by
doorgunner69
(Peace is that brief glorious moment in history when everybody stands around reloading - T Jefferson)
To: Loud Mime
Yes. Thank you Swordmaster.
17
posted on
04/22/2020 9:50:49 PM PDT
by
cba123
( Toi la nguoi My. Toi bay gio o Viet Nam.)
To: cba123
Yes. Thank you Swordmaster.
O what would would be fr without its drudge?
18
posted on
04/22/2020 9:58:53 PM PDT
by
867V309
(Lock Her Up)
To: 867V309
Drudge.
What a disappointment.
Used to read him daily. HUGE fan.
Now I go about once, every couple months. And even less, all the time.
Big, big disappointment.
19
posted on
04/22/2020 10:09:39 PM PDT
by
cba123
( Toi la nguoi My. Toi bay gio o Viet Nam.)
To: cba123
Especially since he sold out to google.
20
posted on
04/22/2020 10:10:36 PM PDT
by
CJ Wolf
( #wwg1wga #gin&tonic #godwins)
Navigation: use the links below to view more comments.
first 1-20, 21-32 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson