According to Google hackers, iPhone hacking spree has been going on for years.
In July 2014, Google announced Project Zero where a team of ethical hackers was to be employed in order to find undiscovered vulnerabilities called zero-day exploits across the internet. The goal was to prevent these newfound bugs from being exploited by criminals who may be standalone hackers to state-sponsored ones.
Recently, everyone’s favorite phone manufacturer seems to be at a threat. Earlier we reported how iPhone cables could be tinkered with to hack your iPhone and now, well, even that isn’t required. In the latest, the Threat Analysis Group(TAG) from Project Zero has discovered certain malicious websites that when visited could stealthily hack into a user’s iPhone and access privy data such as messages, photos, and one’s location.
Known as the “Watering Hole Attack;” an alarming factor here happens to be the fact that these compromised websites receive thousands of visitors and every user can potentially be compromised if the exploit initiated against them is successful thereby installing a monitoring implant.
Moreover, Apple happens to be reputed for its high security with it even upping its security bug bounty reward to $1 million recently and to see such a company compromised leaves us feeling unsafe about the hundreds of other businesses out there that we interact with.
As explained in a blog post by the team, five unique exploit chains were found which were being used to attack every single version from iOS 10 to iOS 12. For the unfamiliar, an exploit chain is best illustrated by Andrew Whitaker from InformIT as:
“A trail of ants carries parts of leaves up a tree trunk. The ants work separately, but the whole group is working together to carry their food. Each ant takes a small part of a leaf; when combined, these parts make up the entire leaf. The same approach is taken by skilled hackers; rather than relying on a single attack point, they chain their exploits together to form one larger attack.”
In total, 14 exploits were discovered among these 5 exploit chains with:
- Seven in the iPhone’s Safari Browser – the default one used by the majority.
- Five in the kernel allowing root access which happens to be very dangerous as the hacker could execute code that even the original owner cannot due to permission restrictions naturally put into place by Apple.
- As put by Google, “The implant could access the device’s keychain, which includes passwords and database files used by end-to-end encrypted messaging apps like WhatsApp, Telegram and iMessage.”
- Two sandbox escapes which is basically when an app can access data/resources beyond the permissions granted to it or of another app.
It is important to be noted that these security flaws were found on 1 February 2019 and reported back then to Apple with a seven-day deadline to release a patch in a new update, a move away from the norm of 90 days. As Zack from TechCrunch puts it,
That’s a fraction of the 90 days typically given to software developers, giving an indication of the severity of the vulnerabilities.
While these specific exploits have been patched, it is wise to believe that more undiscovered ones may very well be out there. A normal user or perhaps even highly technical knowledgeable ones will never be fully safe but can only hope to take the appropriate precautions. For example, in this case, if users would have been careful about the sites they visited, the malicious sites could have been avoided but again, we never know for sure.
For those of you who are interested in delving into the five exploit chains individually, Google has released blog posts detailing the implant being used and a thorough analysis of other components including the code.