Now-fixed exploits were used to install monitoring implants
What just happened? Apple likes to push its devices as a safer option compared to its rivals, but they still have vulnerabilities. Security researchers at Google say a collection of hacked websites were used to deliver malicious software onto iPhones discreetly.
In a post published yesterday, Google’s Project Zero team writes that simply visiting one of the hacked sites could install a monitoring implant onto an iPhone. It adds that the attacks had been taking place for at least two years and that thousands of people visited the websites each week, making them susceptible to the “indiscriminate” attack.
The team said they found 12 separate security flaws, seven of which involved the iPhone’s built-in Safari web browser. The five different exploit chains gave attackers root access to a handset, allowing them to steal a huge amount of personal data.
The vulnerabilities were used to access victims’ photos, iMessages, and real-time GPS locations. The implant could also be used to steal keychain and password information and gather data from apps the person was using, even those with end-to-end encryption such as WhatsApp and Telegram. The vulnerabilities affect iOS 10 through to the latest iOS 12 version.
“This indicated a group making a sustained effort to hack the users of iPhones in certain communities,” wrote cybersecurity researcher Ian Beer.
Google informed Apple of the vulnerabilities on February 1 this year, giving it a seven-day deadline to fix them. The Cupertino firm issued a patch six days later for iOS 12.1.4 for iPhone 5s and iPad Air and later. The patch notes mention fixing an issue where “an application may be able to gain elevated privileges” and “an application may be able to execute arbitrary code with kernel privileges.”
Google never said who might be behind the attacks.