Apple prides on the security and privacy of its iPhones, but even the best devices can be subjected to cyber-attacks. Google's Project Zero Team announced a breach in the security of iPhones - thought to be powered by the most secure platform - allowing hackers to access sensitive information using malicious websites.
Google's Threat Analysis Group (TAG) discovered an "indiscriminate" hacking operation through a group of hacked websites targeting iPhone users over a period of two years. These websites were used to implant malware in the device to access personal information such as photos, encrypted chats, passwords and live locations.
Google's security experts did not reveal the hacked websites involved in the attack but noted that thousands of users visited the infected websites per week. Simply by visiting the hacked website, hackers were able to attack the device and then install and monitoring implant upon successful breach.
"We discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone's web browser, five for the kernel and two separate sandbox escapes. Initial analysis indicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery (CVE-2019-7287 & CVE-2019-7286)," Google's Ian Beer wrote in a blog post.
According to the blog post, the vulnerabilities that affected all versions of iOS, ranging from iOS 10 through iOS 12, were reported to Apple in February. The iPhone-maker released a security patch in iOS 12.1 within days of the vulnerabilities being reported.
What's most disturbing is the fact that if the malicious software was installed on an iPhone, it would steal files, upload live location data, and even access encrypted messages shared via secure platforms of Telegram, WhatsApp and iMessage. The affected apps also included Hangouts, Gmail and Contacts. The stolen data would then be sent back to a command and control server every 60 seconds.
But the heightened risk of the data being stolen on a compromised iPhone had a simple fix. If the user rebooted the device, the implant would be rendered useless. But the user would again be under risk if visited the malicious site again. Beer also noted that this was a "failure case for the attacker," but that doesn't mean users must not be careful.
"The reality remains that security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them," Beer warned.
