Google Says Malicious Websites Have Been Quietly Hacking iPhones for Years
It may be the biggest attack against iPhone users yet.
by Joseph Cox
Aug 30 2019, 12:35am
Image: Stefan Jaitner/picture alliance via Getty Images
In what may be one of the largest attacks against iPhone users ever, researchers at Google say they uncovered a series of hacked websites that were delivering attacks designed to hack iPhones. The websites delivered their malware indiscriminately, were visited thousands of times a week, and were operational for years, Google said.
"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week," Ian Beer, from Google's Project Zero, wrote in a blog post published Thursday.
Some of the attacks made use of so-called zero day exploits. This is an exploit that takes advantage of a vulnerability that the impacted company, in this case Apple, is not aware of, hence they have had "zero days" to find a fix. Generally speaking, zero day attacks can be much more effective at successfully hacking phones or computers because the company does not know about the vulnerability and thus has not fixed it.
iPhone exploits are relatively expensive and the iPhone is difficult to hack. The price for a full exploit chain of a fully up to date iPhone has stretched up to at least $3 million. This includes various vulnerabilities for different parts of the iPhone operating system, including the browser, the kernel, and others to escape an application's sandbox, which is designed to keep code running only inside the part of the phone it is supposed to.
Do you work at companies selling these sorts of exploits? Did you used to? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Beer writes that Google's Threat Analysis Group (TAG) was able to collect five distinct iPhone exploit chains based on 14 vulnerabilities. These exploit chains covered versions from iOS 10 up to the latest iteration of iOS 12. At least one of the chains was a zero day at the time of discovery and Apple fixed the issues in February after Google warned them, Beer writes.
Once the attack has successfully exploited the iPhone, it can deploy malware onto the phone. In this case "the implant is primarily focused on stealing files and uploading live location data. The implant requests commands from a command and control server every 60 seconds," Beer writes.
The implant also has access to the user's keychain, which contains passwords, as well as the databases of various end-to-end encrypted messaging apps, such as Telegram, WhatsApp, and iMessage, Beer's post continues. End-to-end encryption can protect messages from being read if they're intercepted, but less so if a hacker has compromised the end device itself.
The implant does not have persistence though; if a user reboots their iPhone, it will wipe the malware, Beer explains. But one infection can still of course deliver a treasure trove of sensitive information.
"Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device," Beer writes. The information is also transferred to the server unencrypted, the post adds.
Previously documented attacks have been more targeted in nature, typically by a text message sent to the target, along with a link to a malicious site, sometimes just for that target. This attack appears to, or at least has the potential to be, broader in scope.
"This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years," Beer added.
Apple did not immediately respond to a request for comment.
Update: This piece has been updated to include more information from Google's blog post.
Subscribe to our new cybersecurity podcast, CYBER.