Germany’s Federal Ministry for Information Security (BSI) is currently warning against using the iOS Mail app due to the discovery of two critical security vulnerabilities that enable attackers to compromise iOS and iPadOS devices. MacOS is not affected.
Note: Apple has apparently closed the vulnerability mentioned in the article with iOS 13.5. A patch is also available for older devices, these can be updated to iOS 12.4.7. The information is provided with ZecOps from the security company that originally reported the vulnerabilities in iOS.
All an attacker needs to do to compromise a device is send an e-mail which would enable them to potentially read, edit and delete e-mails resulting in the BSI categorising this vulnerability as critical. It is not yet known if devices can be further compromised.
Apple has not yet made a patch available. The only option for protecting devices is to deactivate e-mail synchronisation or to delete the app. BSI president Arne Schönborn made the following statement on the BSI website:
“BSI has categorised this vulnerability as critical as it gives attackers the possibility to manipulate e-mail communication on affected devices. As there is currently no patch available, thousands of iPhones and iPads belonging to private people, businesses and authorities are at risk. We have contacted Apple and asked them to work on a solution to secure their products as quickly as possible”.
The BSI’s official recommendations are:
Customers with an EMM device management system are advised to take the following steps: EMM should disable Mail app synchronisation centrally. The Mail app can also be hidden on supervised devices with advanced management interfaces.
In order to ensure continued access to e-mails, it is recommended to switch to using the e-mail app of the respective UEM provider.
MobileIron (Core & Cloud)
VMware Workspace ONE UEM
Microsoft Intune / Endpoint Manager
Citrix Endpoint Manger
Citrix Secure Mail
The app and its configurations can be automatically provisioned via the EMM system.
It’s possible to switch to an alternative even without a management system. The Microsoft Outlook App, for example, is available on iOS. HCL (formerly IBM) Notes customers can switch to HCL Verse.
Update your devices as soon as Apple releases a patch. The EMM system can make use of compliance policies to force the update and automatically disable synchronisation on all unsafe devices.
A blanket and comprehensive solution is not currently available and each approach has its own challenges. The Bechtle Mobility Consultants are happy to answer any questions you may have.