As if things weren’t bad enough, Apple released confirmation yesterday that an exploit on iPhones and iPads renders these devices vulnerable data breaches—even if the devices in question are entirely up to date.
The best part? Analysts believe this exploit has been around for years, potentially exposing data from up to half a billion devices in the process.
A story from Reuters lists the details of the exploit, starting with its origin: the Mail app. Allegedly, attackers were able to send an “apparently blank” email to a victim’s phone; when accessed through the Mail app, the iPhone or iPad would crash, thus leading to a reset during which an attacker could access information on the device.
While specifics on the information readily retrievable varies, it seems that attackers would feasibly be able to access the contents of the Mail app, contacts, and photos. Considering how many people link their main email accounts to the Mail app rather than using a third-party email client, one can imagine how devastating this attack could be.
Indeed, the firm which discovered the exploit—a mobile security forensics company by the name of ZecOps—mentioned that the hack had been used in the past against a client of theirs: a “Fortune 500 North American technology company” that they refrained from naming. Naturally, the implications of such an attack are grim for any citizen, to say nothing of an established company.
In the wake of this kind of information, we typically would advise that you update your device to the most recent version of iOS and practice safe email techniques such as refraining from opening messages from people or services you don’t recognize; however, what sets this exploit apart from similar circumstances is its perseverance through several generations of Apple’s mobile operating system.
With that said, Apple plans to push out an update that fixes the exploit and prevents it from being used against iPhone or iPad users in the future—a pyrrhic victory when one considers the sheer number of phones that may have been compromised, to be sure, but it’s the most anyone can do for now.
