Published: Mon, September 02, 2019
Tech | By Anita Cain

IPhone users issued advices as serious hacking attack uncovered

IPhone users issued advices as serious hacking attack uncovered

The majority of the vulnerabilities targeted were discovered from the iPhone's default Safari browser, Beer stated, adding the Project Zero group had found them in virtually every operating system out of iOS 10 through into the existing iOS 12 variant.

"The hacked sites were being used as indiscriminate watering holes against their visitors", Beer said. By simply visiting the websites, the server could attack the device and implant a spyware that would give hackers access to the users' data including photos, location, contacts, and messages.

The vulnerabilities were exploited after the victim visited any of a small collection of hacked websites uncovered by Google's Threat Analaysis Group.

Even more frighteningly, the implant also had at least some access to the device keychain, which then allowed access to passwords and databases of encrypted messaging apps, such as Telegram, WhatsApp, and iMessage.

Apple has not commented further on the vulnerabilities.

The exploit chains were in use from around the time that iOS10 was released in September 2016 up through the beginning of 2019 and each individual chain worked against the latest, fully patched version of iOS available at the time. Given that these websites receive thousands of visitors weekly, avoiding them may not be easy. According to Apple, that only accounts for 12% of all active iOS devices, but it's still a hefty chunk of users. Soon after reporting their findings to Apple, the iPhone manufacturer patched the vulnerabilities earlier this year. Mass exploit campaigns like this collect a lot of data and therefore rarely use it immediately after its collected.

Thankfully for iOS users, Google reported this exploit to Apple on February 1 and it was apparently fixed via a security patch on February 7.

Later on, the agency managed to break into the terrorist's iPhone with the help of a third-party and released an extensively redacted document, revealing nearly nothing about the methods they used to hack the device.

Ian Beer warns users that while rebooting their iPhone can automatically wipe off the implant, albeit revisiting the hacked website would again reinstall it. iOS users are advised to update their devices to avoid such malicious hacking campaigns. In short, Apple's attempt to hide the nitty-gritty of computer maintenance and cybersecurity from users made it next to impossible for anyone other than Apple to discover the exploits.

"In the blog post, Beer wrote that he didn't want to try to put a price tag on the attacks, but said that "$1 million, $2 million, or $20 million" seemed low given the attackers' ability to "monitor the private activities of entire populations in real time". "Treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them".

Like this: