Hacking the iPhone has long been considered a rare endeavor, undertaken by sophisticated hackers against only their most high-value targets. But a shocking discovery by a group of Google researchers has turned that notion on its head: For two years, someone has been exploiting a rich collection of iPhone vulnerabilities with anything but restraint or careful targeting. And they’ve indiscriminately hacked thousands of iPhones just by getting them to visit a web
Outlined in a blog
post, Google said its Threat Analysis
Group (TAG) uncovered the “small collection” of websites earlier this
“The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day,” writes Project Zero’s Ian Beer. “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
In a blog this week Beer has offered the more alarming backstory to their discovery and its potential threat.
Several months of analysis later and it seems these flaws were part of a haul of fourteen vulnerabilities abused by the group behind the attacks discovered by Google.
Affecting iOS 10.x, 11.x, and 12.x, seven related to the Safari browser, five the iOS kernel, plus two sandbox escapes. Most of these had been patched over time but the two reported to Apple above were zero days, hence the company’s rush to get 12.1.4 out only days after Google told them about the issue.
Google isolated five unique exploit chains – campaigns run over time using different combinations of flaws – one of which dated back to late 2016.
While the malware is cleaned from an infected iPhone upon rebooting, Beer notes attackers might be able to “maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device.” Alternatively, visiting the hacked site would reinstall the implant.
What this means for us?
Victims’ iPhones would have had malware installed in the form of a powerful monitoring implant capable of stealing chat messages (including WhatsApp, Telegram and IMessage), photos, tracking users’ locations in real time, and even accessing the Keychain password store.
If you set out to design a compromise of a mobile device, it’d be hard to imagine a more complete one than this, excepting that this campaign was eventually detected.
Two caveats to hold on to for encouragement – for attackers to take control of iPhones they still had to tempt victims to specific websites. The malware installed on the phones via the exploit chains stopped working when users rebooted their iPhones, in which case the attackers would have to start infection over again.
Beer’s write-up hints that the attack may be the work of a nation state group trying to gather intel on specific groups of people for political reasons. We can’t verify if that’s true but if it is, it wouldn’t be the first.
Even if the average iPhone user wasn’t the target of the campaigns described by Google, that’s little comfort. We don’t know what other campaigns the group behind them may have been running or who else knew about these exploits.
However, one major strength of Apple’s platform is that the process of deploying updates is very smooth – a big difference from Android where updates aren’t available for some handsets and can take months to become available for others.
iOS has been secure against the exploit chains used in these attacks since version 12.1.4. To check what version you’re using, go to Settings > General > Software Update. This will tell you what version of iOS you’re using and if a newer version is available.
Follow @Nerdytechnos on Twitter for the latest digital news.