iPhone Hack Highlights Home Office Data Security Risks

Recently, we cautioned companies to ensure that their workers’ mobile phones remain secure. On April 23, news about a possible security vulnerability in Apple’s iPhone mail system lends this recommendation additional urgency.

ZecOps, a San Francisco-based mobile security firm, claims to have discovered a hack targeting iPhones’ native email program. This hack is called a “zero click” attack, because unlike a typical “phishing” exploit, which requires the victim to click on a link in an email or text message, a “zero click” exploit can execute without the victim’s action or knowledge. According to ZecOps, the vulnerability enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory. The attackers can trigger the vulnerability before the entire email is downloaded, so the email content will not necessarily remain on the device. In other words, the perpetrators can send an email containing malicious code, and that code can then set off a chain reaction, or an “exploit chain” that overcomes the phone’s defenses and erases its tracks along the way. Such an attack can be nearly impossible to detect.

Although Apple says it is fixing the flaw, the good news is that this exploit does not appear to be widespread. Nonetheless, companies with workers who use iPhones to access confidential information—that is, most companies—should consider taking steps to ensure that those workers download the most recent software updates as they become available.