Apple is disputing the accuracy of this week’s report that found attackers have been exploiting an unpatched iOS bug that allowed them to take full control of iPhones.
San Francisco-based security firm ZecOps said on Wednesday that attackers had used the zero-day exploit against at least six targets over a span of at least two years. In the now-disputed report, ZecOps had said the critical flaw was located in the Mail app and could be triggered be sending specially manipulated emails that required no interaction on the part of users.
Apple declined to comment on the report at the time. Late on Thursday night, however, Apple pushed back on ZecOps’ findings that (a) the bug posed a threat to iPhone and iPad users and (b) there had been any active exploit at all. In a statement, officials wrote:
Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.
A fair number of independent researchers have also questioned the ZecOps conclusion. Generally, the critics said that the evidence ZecOps based its findings on wasn’t persuasive. The disputed findings were based on evidence that the malicious emails were deleted, presumably to hide attacks, but that data that remained in logs indicated the deletions and crashes were the result of an exploit.
The critics said if the exploit was able to delete the emails ,it would have been able to delete the crash log data as well. The critics said that failure and some technical details contained in the ZecOps report strongly suggested the flaw was a more benign bug that was triggered by certain types of emails. Also skeptical, the critics said, is that an advanced exploit would cause a crash at all. Those doubts have continued ever since.
HD Moore, vice president of research and development at Atredis Partners and an expert in software exploitation, told me on Friday:
It looks like ZecOps identified a crash report, found a way to reproduce the crashes, and based on circumstantial evidence assumed this was being used for malicious purposes. It sounds like after he reported it to Apple, Apple investigated, found out these were just crash bugs, and that shuts the door on this being actually in-the-wild-exploitation of a new iOS zero-day.
It could be Apple is wrong, but given their sensitivity to this stuff, they probably did a decent job of investigating it. Through the grapevine I heard that the internal security team that handled this investigation at Apple was pissed off about it, since ZecOps went straight to press before they had a chance to review.
Other critics have delivered their critiques on Twitter.
“Looks like you have a real vuln but the evidence of exploitation looks weak… and no info in your post on post-exploitation chaining to lead to info disclosure or code execution,” researcher Rich Mogul wrote. “Any update you can share? Pretty big claim of a no-click mail 0-day being used.”
Looks like you have a real vuln but the evidence of exploitation looks weak… and no info in your post on post-exploitation chaining to lead to info disclosure or code execution. Any update you can share? Pretty big claim of a no-click mail 0-day being used. https://t.co/xrWbXTPndQ
— Rich Mogull (@rmogull) April 22, 2020
While Mogul left open the possibility of a real-world exploitation of a vulnerability, he said ZecOps didn’t provide adequate proof to rule out an intentional bug crash. Another criticism is here.
ZecOps, meanwhile, appeared to stand by its report, saying on Twitter:
According to ZecOps data, there were triggers in-the-wild for this vulnerability on a few organizations. We want to thank Apple for working on a patch, and we’re looking forward to updating our devices once it’s available. ZecOps will release more information and POCs once a patch is available.
ZecOps said that based on the data collected on iPhones it believes were exploited, company researchers were able to write a proof-of-concept exploit that took full control of fully updated devices. ZecOps has declined to publish the exploit or other data until Apple releases a fix for the bug. Apple has already released the patch for a beta version of the upcoming 13.4.5, and as Thursday night’s statement said, the company plans make it generally available soon.
The controversy, Apple’s denial, and the rarity of zero-click vulnerabilities in iOS are certainly reasons for skepticism. It will be worth reviewing the additional information ZecOps has pledged to publish once Apple releases a fix.
Update 4/25/2020, 5:45 PM California time: ZecOps founder and CEO Zuk Avraham told me on Saturday that he still stands by his findings and would like Apple to provide more details. Specific questions he has are (1) how many triggers were there for this vulnerability (both malicious and non malicious) since iOS 6 and (2) how did Apple confirm that all of these triggers are not malicious? I’ve sent thise questions to Apple and will update if Apple provides answers.