Apple contests the accuracy of this week's report that attackers exploited an unpatched iOS bug that allowed them to take full control of iPhones.
San Francisco-based security firm ZecOps said Wednesday that attackers had used the zero-day exploit against at least six targets for at least two years. In the now controversial report, ZecOps had said that the critical error was in the mail app and could be triggered by sending specially manipulated emails that did not require user interaction.
At that point, Apple declined to comment on the report. However, late Thursday evening, Apple pushed back ZecOps' findings that (a) the bug was a threat to iPhone and iPad users, and (b) an active exploit had occurred at all. In a statement, officials wrote:
Apple takes all reports of security threats seriously. We have thoroughly researched the researcher's report and, based on the information provided, have concluded that these issues are not an immediate risk to our users. The researcher identified three issues in Mail, but by themselves, they're not enough to bypass iPhone and iPad security protection, and we've found no evidence that they were used against customers. These potential problems will be addressed in a software update shortly. We appreciate our collaboration with security researchers to ensure the safety of our users and thank the researcher for their support.
A number of independent researchers have also questioned ZecOps' conclusion. In general, the critics said that the evidence on which ZecOps based his results was not convincing. The controversial results were based on evidence that the malicious emails were deleted, presumably to hide attacks, but that data that remained in the logs indicated that deletions and crashes were the result of an exploit.
The critics said that if the exploit could delete the emails, it could have deleted the crash log data. The critics said that errors and some technical details in the ZecOps report strongly suggested that the error was a harmless error caused by certain types of emails. According to the critics, it is also skeptical that an advanced exploit would even cause a crash. These doubts have continued since then.
HD Moore, Vice President for Research and Development at Atredis Partners and an expert in software usage, told me on Friday:
It looks like ZecOps has identified a crash report, found a way to reproduce the crashes, and assumed based on evidence that this was used for malicious purposes. It sounds like Apple, after reporting it to Apple, found out that it was just a crash, and that closes the door if it's actually the wild exploitation of a new iOS zero-day.
Apple might be wrong, but given their sensitivity to this stuff, they have probably researched it properly. Through the vine, I heard that the internal security team that handled this investigation at Apple was upset because ZecOps went to press immediately before they were able to do a review.
Other critics have posted their reviews on Twitter.
"Looks like you have a real Vuln, but the evidence of exploitation looks weak … and no information in your post-exploitation chain that leads to information disclosure or code execution," wrote researcher Rich Mogul. "Is there an update you can share? Quite a big claim that a 0-day email is used without a click. "
Looks like you have a real Vuln, but evidence of exploitation looks weak … and no information in your post-exploitation chain that could lead to information disclosure or code execution. Is there an update you can share? Quite a big claim that a 0-day email is used without a click. https://t.co/xrWbXTPndQ
– Rich Mogull (@rmogull), April 22, 2020
While leaving open the possibility of real exploitation of a vulnerability, Mogul said that ZecOps did not provide sufficient evidence to rule out an intentional crash. Another criticism is here.
Meanwhile, ZecOps seemed to stand by his report and said on Twitter:
According to ZecOps data, some organizations have had triggers for this vulnerability. We would like to thank Apple for working on a patch and look forward to updating our devices as they become available. ZecOps will release more information and POCs as soon as a patch is available.
According to ZecOps, the company's researchers were able to write a proof-of-concept exploit based on the data collected on iPhones that they thought was being used, which took complete control of fully updated devices. ZecOps refused to publish the exploit or any other data until Apple released a solution to the bug. Apple has already released the patch for a beta version of the upcoming 13.4.5. As stated in the Thursday night statement, the company will soon make it widely available.
The controversy, the rejection by Apple and the rarity of zero-click vulnerabilities in iOS are certainly reasons for skepticism. It's worth checking the additional information that ZecOps has committed to publishing once Apple releases a fix.