Incident: Critical Bug in iPhone Mail App Allows Email Theft.

Published Date: 2020-04-23

Postmortem Analysis
Timeline 1. The software failure incident of the newly discovered bug in the built-in Mail app for iPhones happened in January 2018 [Article 98576].
System 1. Mail app for iPhones [98576]
Responsible Organization 1. Real-world attackers who actively exploited the bug in the Mail app for iPhones, targeting individuals such as a European journalist, a German "VIP," and individuals from a "Fortune 500 organization in North America" [Article 98576].
Impacted Organization 1. A European journalist 2. A German "VIP" 3. Individuals from a "Fortune 500 organisation in North America" [98576]
Software Causes 1. The software cause of the failure incident was a newly discovered bug in the built-in Mail app for iPhones that allowed an attacker to read, modify, and delete emails [98576].
Non-software Causes 1. The vulnerability was discovered by security company ZecOps, indicating a lack of thorough security testing during the development process [98576]. 2. The attack was actively exploited by real-world attackers since January 2018, suggesting a failure in detecting and addressing the vulnerability in a timely manner [98576]. 3. The attack was carried out by at least one nation-state threat operator, indicating potential geopolitical motivations behind the exploitation of the vulnerability [98576].
Impacts 1. The software failure incident allowed attackers to read, modify, and delete emails on iPhones, potentially leading to unauthorized access to sensitive information [98576]. 2. The vulnerability affected every version of iOS from 6 upwards, making a large number of iPhone users vulnerable to the attack until a patch is released [98576]. 3. Real-world attackers had been exploiting the bug since January 2018, indicating that the impact of the software failure was not just theoretical but had practical consequences for targeted individuals [98576]. 4. The attackers were able to cover their tracks by deleting the email used to trigger the exploit, enhancing the stealth and effectiveness of their attacks [98576]. 5. The incident raised concerns about the ease with which private data could be remotely exfiltrated from Apple devices, highlighting the severity of the software failure [98576].
Preventions 1. Regular security audits and penetration testing of the Mail app for iPhones could have potentially identified and addressed the vulnerability before it was exploited [98576]. 2. Implementing stricter input validation and filtering mechanisms within the Mail app to prevent the execution of malicious code embedded in specially crafted emails could have mitigated the risk of memory flooding attacks [98576]. 3. Timely deployment of software updates and patches by Apple to address known vulnerabilities could have prevented the exploitation of the bug by attackers [98576]. 4. Enhanced monitoring and logging capabilities within the Mail app to detect and alert on suspicious activities, such as memory flooding attempts, could have provided early warning of potential attacks [98576].
Fixes 1. Patching the vulnerability in the next version of iOS, 13.4.5 [Article 98576] 2. Disabling the Mail application and using alternative applications like Outlook or Gmail until the update is available [Article 98576]
References 1. Security company ZecOps [Article 98576] 2. Jake Moore, a cybersecurity specialist at Eset [Article 98576] 3. Satnam Narang, principal research engineer at Tenable [Article 98576]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to the vulnerability in the built-in Mail app for iPhones has happened again at one_organization. The security researchers found at least six instances when they believe the bug was actively exploited, with targets including a European journalist, a German “VIP,” and individuals from a “Fortune 500 organization in North America” [98576]. (b) The software failure incident related to the vulnerability in the built-in Mail app for iPhones has not been explicitly mentioned to have happened again at multiple_organization in the provided article.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the newly discovered bug in the built-in Mail app for iPhones. The bug allowed an attacker to read, modify, and delete emails, indicating a failure due to contributing factors introduced during system development [Article 98576]. (b) The software failure incident related to the operation phase is highlighted by the fact that the attack works by sending specially crafted emails that flood the memory of a device, allowing the attacker to break out of the protections that Apple normally puts in place to prevent Mail accidentally running malicious code. This indicates a failure due to contributing factors introduced by the operation or misuse of the system [Article 98576].
Boundary (Internal/External) within_system (a) within_system: The software failure incident related to the discovered bug in the built-in Mail app for iPhones is a within-system failure. The vulnerability exists within the iOS Mail application itself, allowing attackers to exploit it by sending specially crafted emails to the device, which then flood the memory and bypass Apple's protections [98576]. The bug affects every version of iOS from 6 upwards and can be exploited on the latest version of iOS without any user interaction. Apple has acknowledged the issue and is working on patching it in the next version of iOS, 13.4.5 [98576]. (b) outside_system: The software failure incident related to the discovered bug in the Mail app for iPhones does not involve contributing factors originating from outside the system. The vulnerability is inherent within the Mail application and can be exploited through crafted emails, indicating that the failure is primarily within the system [98576].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the article is primarily due to non-human actions, specifically a newly discovered bug in the built-in Mail app for iPhones that allows an attacker to read, modify, and delete emails. This bug can be exploited by sending specially crafted emails that flood the memory of a device, enabling the attacker to break out of the protections normally in place to prevent malicious code execution [Article 98576]. (b) The software failure incident in the article is also influenced by human actions, as real-world attackers have actively exploited the bug in the Mail app to target specific individuals, including a European journalist, a German "VIP," and individuals from a Fortune 500 organization in North America. The attackers have been able to cover their tracks by deleting the emails they sent to trigger the exploit, indicating deliberate targeting and actions by threat actors [Article 98576].
Dimension (Hardware/Software) software (a) The software failure incident in Article 98576 is related to a vulnerability in the built-in Mail app for iPhones, which is a software issue. The vulnerability allows an attacker to read, modify, and delete emails by exploiting a bug in the Mail app. This vulnerability originates in the software itself and not in the hardware of the iPhone. (b) The software failure incident in Article 98576 is specifically related to a bug in the built-in Mail app for iPhones. This bug allows attackers to exploit the software vulnerability to gain unauthorized access to emails. The failure originates in the software code of the Mail app, making it a software-related issue.
Objective (Malicious/Non-malicious) malicious (a) The software failure incident described in the article is malicious in nature. The incident involves a newly discovered bug in the built-in Mail app for iPhones that could allow an attacker to read, modify, and delete emails. The bug is being actively exploited by real-world attackers, including instances where the bug was used to target specific individuals such as a European journalist, a German "VIP," and individuals from a Fortune 500 organization in North America. The attackers, believed to be at least one nation-state threat operator, have been able to remotely exfiltrate private data from Apple devices by exploiting this vulnerability [98576].
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident related to the discovered bug in the built-in Mail app for iPhones can be attributed to poor decisions made during the development and maintenance of the software. The vulnerability allowed attackers to read, modify, and delete emails, posing a significant security risk to users [Article 98576]. Apple's delay in patching the vulnerability until the next version of iOS 13.4.5 left all iPhone users vulnerable to the attack, indicating a poor decision in prioritizing and addressing critical security flaws in a timely manner. Additionally, the fact that the bug had been actively exploited by real-world attackers since January 2018 highlights the consequences of not addressing known vulnerabilities promptly, further emphasizing poor decisions in software security management.
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident related to development incompetence is evident in the newly discovered bug in the built-in Mail app for iPhones. The bug allowed an attacker to read, modify, and delete emails, affecting every version of iOS from 6 upwards [98576]. The severity of the bug was highlighted by the fact that it could be exploited on the latest version of iOS without any user interaction and had already been discovered in use by real-world attackers dating back to January 2018. The security company ZecOps recommended users to consider disabling the Mail application and use Outlook or Gmail instead until the vulnerability is patched [98576]. (b) The accidental nature of the software failure incident is seen in how the attack works by sending specially crafted emails that flood the memory of a device, allowing the attacker to break out of the protections that Apple normally puts in place to prevent Mail from accidentally running malicious code [98576]. The cybersecurity specialist Jake Moore mentioned that the attack had enough limitations to prevent it from being widely exploited, as each email would need to be specifically crafted for a single target, rather than a "mass hack" affecting thousands of people [98576].
Duration temporary (a) The software failure incident related to the bug in the built-in Mail app for iPhones is considered temporary. The vulnerability exists until Apple releases a patch in the next version of iOS, 13.4.5 [Article 98576].
Behaviour omission, value, other (a) crash: The software failure incident in the article is not related to a crash where the system loses state and does not perform any of its intended functions [Article 98576]. (b) omission: The software failure incident in the article is related to a vulnerability in the Mail app for iPhones that allows an attacker to read, modify, and delete emails, indicating an omission in performing its intended functions securely [Article 98576]. (c) timing: The software failure incident in the article is not related to timing issues where the system performs its intended functions too late or too early [Article 98576]. (d) value: The software failure incident in the article is related to the system performing its intended functions incorrectly, allowing attackers to exploit a vulnerability to steal email contents [Article 98576]. (e) byzantine: The software failure incident in the article is not related to a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions [Article 98576]. (f) other: The software failure incident in the article involves the exploitation of a bug in the Mail app for iPhones that allows attackers to remotely exfiltrate private data, delete emails, and cover their tracks, showcasing a significant security flaw in the system [Article 98576].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (a) death: There is no mention of any deaths resulting from the software failure incident in the articles. (b) harm: The articles do not mention any physical harm caused to individuals due to the software failure incident. (c) basic: There is no indication that people's access to food or shelter was impacted by the software failure incident. (d) property: The software failure incident resulted in the potential theft of private data from Apple devices, including emails, which could impact individuals' data security and privacy [98576]. (e) delay: The incident did not lead to any delays in activities as mentioned in the articles. (f) non-human: The software failure incident primarily affected Apple devices and the security of email communications, but there is no mention of any impact on non-human entities. (g) no_consequence: The articles clearly outline the consequences of the software failure incident, particularly related to the potential theft of email contents and data security vulnerabilities. (h) theoretical_consequence: The articles discuss the theoretical consequences of the software failure incident, such as the risk of private data exfiltration, potential exploitation by real-world attackers, and the need for users to switch to alternative email applications until the vulnerability is patched [98576]. (i) other: The articles do not mention any other specific consequences of the software failure incident beyond those discussed in relation to data security vulnerabilities and potential exploitation by attackers.
Domain information (a) The software failure incident reported in the article is related to the information industry. The vulnerability in the Mail app for iPhones allowed attackers to read, modify, and delete emails, potentially compromising sensitive information [98576].

Sources

Back to List