Bonn.The email app on Apple’s iPhones and iPad tablets has security gaps that will soon be closed with an update of the operating system. The Federal Office for Information Security (BSI) raised the alarm and recommended that users delete the app or switch off email synchronization until then. The vulnerabilities “potentially read, change and delete emails are possible,” warned the authority. Apple said the company had no evidence that the vulnerabilities had already been used to the detriment of customers.
The American IT security company ZecOps had previously stated that it had found indications that two vulnerabilities had already been exploited in some cases. It was a very targeted attack. However, they could no longer have detected any harmful software code on the affected devices, only evidence of this, the researchers explained. The description raised doubts among some other industry experts as to whether one could already speak of evidence of successful attacks.
Apple added that the security company had pointed out three vulnerabilities and, based on the information available, had decided that they “pose no immediate risk to our users”. Apple also pointed out that two other security holes would have to be exploited for a successful attack.
ZecOps, on the other hand, was able to find indications of at least six attacks based on the security vulnerabilities. Among the targets of the attacks were managers of large US companies and a Japanese mobile operator, a journalist in Europe and an unspecified “VIP in Germany”.
In contrast to many attacks, according to the experts, the user does not have to click on a file in the attachment. With the current iOS 13 operating system, the attack can be carried out in the background, with the previous iOS 12 the user had to open the email for this. “The BSI assesses these weaknesses as particularly critical,” said the authority that, among other things, secures the communication of the federal government, on Thursday evening.
Vulnerabilities, of which Apple or the Android developer Google are not yet aware, are very popular with online criminals and secret services. Some of them are traded for millions. The vulnerabilities only use the attackers as long as they remain undetected. That is why they are usually only used in a very targeted manner against particularly valuable goals.
Apple wants to close the vulnerabilities with the next version of its mobile operating system iOS. The pre-release of iOS 13.4.5, published in mid-April, already contains the corresponding software code. There will be no secure protection until the update is available to all users. dpa
© Mannheimer Morgen, Saturday, April 25th, 2020