Google’s Project Zero warns of a ‘sustained effort’ to hack iPhones over past two years, via poisoned websites
Security researchers at Google’s Project Zero have warned of the cyber risks now facing Apple iPhone users after it uncovered a “sustained effort” of an attack “in the wild”.
The researchers detailed how hackers utilised booby-trapped websites to try and carry out zero-day attacks against visiting iPhone users.
Apple security is usually pretty good, but earlier this month it accidentally reopened a previously patched flaw with a new operating system update. The firm has now fixed the problem with a fresh iOS update.
The iPhone zero-day was detailed in a blog post by Ian Beer of Project Zero, which has been ongoing for the past two years.
“Earlier this year Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites,” wrote Beer. “The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day.”
Beer warned these hacked websites had been visited thousands of times a week, and just visiting the booby-trapped website could trigger the “exploit server to attack your device, and if it was successful, install a monitoring implant.”
The goal of the implanted malware was to hover up the iPhone contacts, images and other data such as GPS locations etc. The malware would then relay this stolen data back to an external server every 60 seconds.
The researchers said they identified five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12.
“This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” Beer warned.
It seems the hackers used 12 separate security flaws in order to compromise devices, mostly via flaws within the Safari web browser.
The good news is that Google informed Apple of the flaws on 1 February 2019.
Six days later Apple released a patch for the vulnerabilities.
This is further evidence of the importance of ensuring Apple devices are kept up-to-date.
“This just highlights how important it is to keep your devices updated to the latest iOS,” said Jake Moore, cybersecurity specialist at ESET. “Threat actors will not stop at anything to try and exploit Apple’s operating system where they can.”
“Not only would such inconvenience or even malware have such a damaging effect to Apple and its users, cybercriminals around the world see breaking Apple’s ecosystem as a sort of a pinnacle of their ‘career’ so this amount of attacking will only ever increase,” warned Moore. “There are much kudos to be had to take down such a secure environment of this level that it gets more attention than it possibly warrants from bad actors.”
Apple does sometime slip on the security front. In June 2015 for example, Apple reportedly knew about major zero-day flaws in its iOS and OS X operating systems for at least eight months.
That was the claim made by six university researchers from Indiana University, Peking University and the Georgia Institute of Technology, who said they informed Apple of the flaws back in October 2014.
Quiz: How well do you know Apple?