Technology
Hacked sites attacked thousands of iPhones every week for years using undiscovered exploits
In what’s being touted as potentially one of the biggest attacks on iPhone users ever, Google has revealed that a collection of websites were hacked to deliver malware onto iPhones, with the iOS vulnerabilities involved going unchecked and undiscovered for years — as well as subsequent attacks.
The hacks installed zero-interaction malware into unnamed sites that received thousands of visitors every week. Simply visiting the sites, without clicking or scrolling at all, could deliver a monitoring implant onto users’ iPhones.
Google demonstrated that the implant could “steal private data like iMessages, photos and GPS location in real-time”; it also had access to users’ keychains and password data, as well as database files containing plaintext of messages sent and received in messaging apps such as Google Hangouts, and even end-to-end encrypted apps including WhatsApp, iMessage, and Telegram.
The malware would be wiped if the iPhone was rebooted, but any sensitive information obtained during the infection could still leave the device, its user, and their online life vulnerable to attack.
While the choice of sites appeared designed to target certain communities, the attack was otherwise indiscriminate.
Google’s security research initiative Project Zero posted a “very deep dive” detailing the exploits, which their Threat Analysis Group discovered and disclosed to Apple in Feb. 2019.
The team found five “separate, complete and unique” exploit chains using 14 vulnerabilities. Several were zero-day, meaning Apple was unaware of them at the time of Project Zero’s discovery; Apple patched these within the seven-day deadline Google gave in iOS 12.1.4, the same Feb. 7 update that patched the infamous Group FaceTime vulnerability.
The exploits date back to iOS 10 and through updates of iOS 12.1.2, encompassing “almost every version” in that timeframe.
This is a huge find by Google’s team. Attribution for these sites is going to be critical to understanding what impact they might have had. https://t.co/MNFW7SakQU
— Alex Stamos (@alexstamos) August 30, 2019
The number of Apple exploits discovered appears to have risen sharply over the past year. At the end of July, Project Zero revealed six zero-interaction security bugs that could be exploited through iMessage, only five of which Apple had managed to patch by the time the Google team revealed them. And in August, news broke of the SQLite vulnerability, as demonstrated at DEFCON 2019 using the iOS Contacts app, as well as the vulnerability to the Bluetooth-based “KNOB” attack that affected every iPhone and iPad.
-
Entertainment7 days ago
OpenAI’s plan to make ChatGPT the ‘everything app’ has never been more clear
-
Entertainment6 days ago
‘The Last Showgirl’ review: Pamela Anderson leads a shattering ensemble as an aging burlesque entertainer
-
Entertainment7 days ago
How to watch NFL Christmas Gameday and Beyoncé halftime
-
Entertainment6 days ago
Polyamorous influencer breakups: What happens when hypervisible relationships end
-
Entertainment5 days ago
‘The Room Next Door’ review: Tilda Swinton and Julianne Moore are magnificent
-
Entertainment4 days ago
‘The Wild Robot’ and ‘Flow’ are quietly revolutionary climate change films
-
Entertainment4 days ago
Mars is littered with junk. Historians want to save it.
-
Entertainment5 days ago
CES 2025 preview: What to expect