Google's Project Zero, a group of security experts that specializes in finding zero-day exploits, has gone public about web-based exploits affecting iPhones that may have harvested data from thousands of users over several years.
In a series of seven blog posts on the Project Zero page (opens in new tab), team member Ian Beer explained how malicious websites were able to use five different exploit chains to infect iPhones with malware that would then harvest users’ data.
"We estimate that these sites receive thousands of visitors per week," Beer wrote.
The exploited vulnerabilities were patched by Apple with iOS 12.1.4 in early February. But the fact that the attacking websites were active for so long, and potentially compromised so many iPhones, severely undermines the popular conception that iOS is nearly impossible to hack.
The websites, part of a classic "watering hole" attack that drew interested parties only for them to be ambushed, would attempt to hack anyone who accessed it. If the attack was successful, the hackers’ monitoring software would then be implanted onto the device.
Google did not provide specific information about where the malicious websites were hosted, or who the targets were -- just that the attackers monitored "the private activities of entire populations in real time."
"To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group," Beer wrote.
How the iPhones were hacked
This software could access contacts, GPS data, images and data from apps like Gmail, WhatsApp and iMessage, which could then be sent back to a server set up by the hackers every 60 seconds. End-to-end messaging encryption was not cracked, but it didn't need to be, because the attackers could see the messages displayed on the phones' screens.
The five exploit chains were made up of 14 separate vulnerabilities, with seven of them coming from Safari, the default iOS web browser, and another five found within iOS’ kernel, the central code that runs iPhones and iPads.
Each chain was designed to target different versions of Apple’s iOS mobile operating system. Devices running iOS 10 or later were vulnerable to at least one attack vector over the 28-month period between the launch of iOS 10 in September 2016 and the discovery of the issues in January 2019.
The Project Zero team informed Apple about the problems on February 1 2019, and the problems were patched out (opens in new tab) within a week.
Unlike many other security problems, which are discovered by researchers, disclosed privately and then fixed before anyone with bad intentions can use them, these problems have been exploited for years.
Chances are that your iPhone is now probably safe from these unnamed websites, but it’s good to make sure that you’ve updated your phone to the latest version, iOS 12.4.1. This is the best way to make sure that your device is safe from the latest online threats, amongst other benefits like new features.
Until now, it's been considered expensive and rare to have working exploits against iPhones -- hence Beer's reference to a "million-dollar dissident" targeted by an intelligence agency.
But these attacks against iPhones, while almost certainly carried out by a nation-state intelligence service, were cheap, sloppy and successful.
"This is terrifying," Malwarebytes security researcher Thomas Reed told Wired (opens in new tab). "The fact that someone was infecting all iPhones that visited certain sites is chilling."