Fix on the Way for Apple Mail Exploit

Reading Time: 4 minutes.

Mail attack icon from ZecOpsIf you use the default iOS Mail app, you could have a vulnerability on your phone. A hacker can send an email to an account you have in Apple’s iOS or iPadOS Mail app to take over your device. You don’t even have to open the email. All you have to do is be using Apple’s Mail app on one of your iOS devices. With that, a hacker can execute code remotely on your device, opening it up for them to snoop around and transfer data from it. They could even delete the email that came in, so you could never know it happened.

Here’s what you can do to protect yourself.

The Hack

This is an old exploit, going all the way back to iOS 6. However, Apple claims the hack has never been exploited in the wild, outside of the testing ZecOps did. ZecOps disagrees. They claim that the earliest exploits they could find using this attack method go back to 2018. However, they can’t confirm that these were successful intrusions. Apple claims they were not, as other parts of iOS prevent these exploits from working, though they couldn’t say how.

With iOS 12 and below, the hack requires the user try to open the email unless the hacker also has control of their mail server, which is highly unlikely. However, on iOS 13, the user merely has to receive the email, as Mail will “open” it for previewing in the background.

The hack is relatively simple, at least opening the vulnerability is. The hacker would send an email that causes the mail application to use too much memory. Once the memory is exhausted, the device will use local storage. That’s when the exploit can jump in. An email with a large text file or image would be enough to trigger this. It allows for out of bounds memory writing. Basically think of a memory allocation space like a bucket. If you want to get the floor wet, you just have to pour enough water in the bucket to get it on the floor. But, if the bucket would automatically shut off the flow of water when it’s full, you couldn’t get the floor wet this way. Now think of the water like malicious code, and you can get a general idea of how a memory overflow exploit works.

Once the hack is complete, the hacker can delete the email and all traces of their hack. They may have downloaded emails, images, contacts, and more. These would likely be targeted attacks, high profile people, rather than something a hacker would distribute over a large area. Still, you could be at risk.

Prevention Methods

iOS 13.4.5

Apple says this exploit hasn’t been used outside of ZecOps’ testing. Still, it’s a worrying hack, and you may want to take a few measures to protect yourself. Unfortunately, they’re a bit time consuming.

If you’re on the iOS Beta, you’re safe. This only affects up to iOS 13.4.4. 13.4.5 is safe. Therefore, you could put your iPhone and iPad on the public beta program, if it’s not already, and update.

Because this fix is already in the next update, and Apple has been testing this beta update, you may want to just wait until next week, when Apple could update the iOS.

Ditch Apple Mail

Apple Mail is an easy to set up email app that’s baked into your OS. Therefore, most iOS users use it, even if they have mail accounts from third parties. However, this hack doesn’t take advantage of all email, just Apple’s Mail app. Therefore, if you swap out your email apps, you can protect yourself until Apple updates iOS.

Some of the best options are Spark, Newton Mail, and Gmail. Spark is at the top of my list, as Readdle’s other apps, like PDF Expert, are among my favorite for iOS and macOS productivity.

Once you have a new email client chosen, transfer over all your mail accounts to the new app. You may need to search how to do this for each app. iCloud emails, for example, require a special application password. Now for the hard part, removing the Mail app.

You could turn off every account that the Mail app uses. To do this, go into Settings > Passwords & Accounts. From there, you can remove the Mail app from your accounts, without necessarily removing the accounts. This will make it easier to turn them back on if you choose to do so.

You’ll also want to disable mail for your iCloud account, which you can do with a toggle switch in your iCloud settings. Tap your account at the top of Settings > iCloud, and turn off mail.

You can take one final step. Apple lets you delete built-in apps and “download” them from the App Store later. What you’re actually doing is disabling the app and hiding it from the Home Screen, but it’ll be enough to ensure that the app and its extensions in other apps are shut down. To do this, just delete it like you would any other app, then “download” it from the iOS App Store once you update to 13.4.5.

Update ASAP

Check nightly for updates. You can set up your iPhone to update automatically overnight when plugged in. Unless you use a sleep tracking app, you won’t even have to think about staying up to date. If you are using a sleep tracking app, be sure to update before you go to bed. Give your device up to half an hour to update, though it likely ill only take about 10 minutes, at most.

This will go away with an update. So, if you just want to keep your iPhone up to date and take the risk, you can do that as well. It’s a big hack, so Apple may want to rush a fix out the door as early as next week.


Sources:
,