May 15, 2020

New Apple Security Blow: If You Have An iPhone, Look Away Now


Apple had been hoping to move past its recent run of security warnings—but no such luck. After a dreadful April, here we are in May with yet another security blow for the hundreds of millions of iOS users around the world. And this time, it’s more than just an overblown exploit that can be downplayed, this time it’s confirmation that a glut of new security exploits are targeting iOS users.

After some torrid security disclosures last year, the first sign of trouble for Apple this time around came with a claim from security researchers at ZecOps that a zero-day vulnerability with Apple’s native mail application had been exploited in the wild, combining with other vulnerabilities to compromise devices. Apple denied the exploit had impacted users, but some security officials were not convinced, warning users to remove the mail app until the issue is fixed.

Then, just a couple of days later, we had reports of a new “text bomb” that exposed Apple devices running iOS 13 to a remotely triggered crash following the receipt of a message containing a crafted text string. Apple is patching both flaws—but the confidence of users was shaken by the scale of the security flaws, coming in the wake of all the stories of Apple’s buggy iOS 13 release.

Then, five days after the text bomb news, Google’s researchers decided to pile on more pressure, with Project Zero’s bug-hunters reporting “numerous new vulnerabilities” with Apple’s handling of obscure image formats. The disclosed flaws were patched by the time Google reported, but the researchers warned there would be other flaws still hidden away, just waiting to be found.

And so to the latest security surprise for iOS users. Renowned vulnerability shop, Zerodium, has publicly announced “we will not be acquiring any new Apple iOS LPE [local privilege escalation], Safari RCE [remote code execution], or sandbox escapes for the next two to three months due to a high number of submissions related to these vectors.” The firm also warned that there would likely be price drops for other iOS exploits in the “near future.”

The implication for those hundreds of millions of iOS users is that those exploits being hawked have successfully found ways to breach Apple’s defences. Exploits are valued based on their scarcity. If you have a platform designed around its security, for which an over-supply of security exploits has destroyed the market, that is clearly a worry for all those users.

Zerodium’s founder went further in his own comments, letting loose on Twitter as to the dire state of iOS security, referencing “persistence exploits (0days) [that] work with all iPhones/iPads,” and signing off his tirade somewhat ominously by saying “let’s hope iOS 14 will be better.”

Zerodium made headlines in a similar vein last September, when it announced that the value of Android exploits had overtaken those for iOS for the first time since the firm was set up. As now, the firm blamed over-supply for the issue, there were simply too many iOS exploits knocking around. The latest news suggests that has gotten worse.

The debate between Apple and Android users as to the relative security of their devices is highly passioned. And so an interesting online debate greeted the news from Zerodium. “Hello @AppleSupport , this is very concerning, will you be addressing this?” asked one user on Twitter. “That’s some sad news for iOS,” said another.

There was some pushback on Zerodium’s decision to make this proclamation—even suggestions it was a marketing ploy from Intel’s Ryan Naraine. But, in reality, there’s little point in Zerodium discouraging hackers from pushing exploits in its direction if there is a market.

As things stand, security analysts will be watching the next iOS release to see how well the various vulnerabilities that were disclosed are patched—and then we will all wait to see how the tech giant handles iOS 14 differently following the various iOS 13 issues that have best the company since its release.

Apple was approached for any comments on this story.

By Zak Doffman

Leave a Reply