Two significant vulnerabilities have been discovered in the latest version of iOS, the iPhone operating system. Both flaws have been fixed by Apple in the beta version of iOS, and will be fully addressed in the next software update.
Documented by ZecOps, an American start-up, the two flaws have been actively used in spying attempts, the company said. The company, which specializes in computer security, claims that some of its customers have been targeted by hackers using these vulnerabilities, including a manager of a Japanese telephone operator, employees of security services in Saudi Arabia and Israel, and a part of a Swiss company. Targets that suggest they may have been exploited by a group linked to a state.
“Zero click” and “zero day” vulnerabilities
The danger of the faults is considered serious by several independent experts of ZecOps, relates Vice. One of them is a so-called “zero click” flaw – it can work without the targeted person taking any action, such as clicking on a fraudulent link. According to ZecOps, the exploitation of the flaw, observed for the first time in 2019, involved sending a trapped email, but the recipient did not need to open it for it to trigger the flaw. Analysis of the phones after the fact also seems to show that the email was automatically deleted.
So-called “zero day” vulnerabilities, which have never been documented before, are rare on iOS. They are most often discovered by experts who resell them on specialized markets, where they are exchanged for very large sums. In most cases, exploiting these loopholes is a complex and costly process: the majority of buyers of this very particular “product” are intelligence services, mafia groups or spy companies.