It's time to update your iPhone—again.
Last week, Apple released a major update (iOS 14.5) that allows users to tell apps to stop tracking them, adds 217 new emojis, and fixes a slew of 50 security bugs. Now, just a week later, the company is releasing another update, this time to fix two vulnerabilities that hackers were using to exploit iPhones in the wild.
Since the beginning of 2021, Apple has patched seven bugs that "may have been actively exploited," according to Motherboards's count of vulnerabilities mentioned in Apple disclosures. That means the company is relatively confident that some hackers somewhere were taking advantage of those bugs to hack iPhones—something the industry usually refers to as zero-days caught "in the wild." To be clear, if a bug is being used "in the wild," that means that a hacker is using it to hack people. In this case, that means Apple fixed these bugs only after iPhone users were being hacked by some unknown-to-us entity.
The good news is that Apple, with the help of other companies and researchers, is not only patching these dozen security vulnerabilities but is also able to see that they are being used in the wild. The bad news is, well, that they were being used in the wild and that there have been seven different vulnerabilities of this type disclosed in the last four months, which is a lot of security vulnerabilities. Out of the seven in the wild vulnerabilities fixed by Apple this year, five of them were in Webkit, the browser engine developed by the company and used in Safari.
Do you research vulnerabilities on Apple's products? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
For context, Google Project Zero, the company's team dedicated to tracking these vulnerabilities across the industry, counted 25 zero-days being used in the wild in all of 2020, meaning across Windows, Chrome, iOS, Firefox, and other major software. Of course, there are surely others that have not been detected, and it's very difficult to know at any moment how many and what types of vulnerabilities are being exploited across all platforms and pieces of software.
Last month, Maddie Stone, the Google researcher who tracks these kinds of security vulnerabilities reported 16 zero-days "detected in-the-wild" so far this year, meaning the trend is upwards across the industry. Google did not respond to a request for comment.
Researchers who specialize in looking for vulnerabilities and exploits for iOS consider this amount of iPhone vulnerabilities being exploited in the wild to be high.
"Indeed there have been quite a lot," one iOS security researcher, who asked to remain anonymous to discuss sensitive industry issues, told Motherboard. "It usually means that this is pretty aggressively exploited."
Patrick Wardle, a researcher who specializes on Apple products said that targeting WebKit makes sense as there are a lot of bugs in it. Wardle's theory is that after Apple made it harder to hack users through iMessage last year, WebKit has become the next best target.
The big question is why it seems like there's more WebKit bugs lately than before.
"So why we are seeing more in 2021? I'd venture a guess that there is either improved insight and detection capabilities of the use of such zero-days, or just that their use is really becoming more prolific," Wardle said.
It's quite difficult to say whether iOS security is "getting worse," as that depends on specifics which are very difficult to have full insight into. Apple could be getting better at detecting bugs that have existed for a long time. There could be more bugs than normal. There could be more people trying to hack iPhones in an industry that can be lucrative and has been growing for years. There could simply be a couple big bugs in WebKit that make it easy to exploit for a while until Apple fixes it.
Apple declined to comment for this story.
In general, there have been a lot of zero-days in the last couple of years. In November of 2020, Google said that it had found an unspecified hacking group using seven zero-days in Chrome, Android, Windows, and iOS. When the company published more details about that hacking campaign, it revealed that actually it had been 11 zero-days.
It's important to stress that as a regular user, it's still incredibly unlikely that sophisticated hackers, such as those working for governments and spy agencies, will target you with these vulnerabilities. But you should always update your iPhone, even if there's no new emojis this time.
Correction, May 5, 11:35 a.m. ET: A previous version of this article stated that there had been 12 vulnerabilities that “may have been actively exploited” in the wild, of which 11 were in WebKit. The total vulnerabilities were actually seven, of which six in WebKit.
Subscribe to our cybersecurity podcast CYBER, here.