Malicious websites have been quietly hacking iPhones for the past couple of years

Apple always makes tall claims about privacy and security, but from time-to-time there are eye-opening reports of loopholes that somehow manage to let hackers in, giving users this creepy feeling of insecurity. A bunch of security researchers working at Google’s Project Zero have revealed what in all probability is the biggest attack against iPhone users yet. The researchers at Project Zero basically uncovered a series of hacked websites that have been attacking iPhones for years without anyone knowing. [caption id=“attachment_6535661” align=“alignnone” width=“1280”] Representational image.[/caption] As per the blog post, there are a number of websites that have been at work attacking iPhones users that visited them. Soon after reporting their findings to Apple, the iPhone manufacturer patched the vulnerabilities earlier this year.

How it worked

Simply put, a user visits the malicious website, using a vulnerable iPhone, and everything from personal files, to messages, and even real-time location data would become accessible to the hackers. As per the post just visiting the hacked website was “enough for the exploit server to attack your device”. And once it was successful it would install a monitoring implant which would get access to an iPhone’s keychain. “The implant is primarily focused on stealing files and uploading live location data. The implant requests commands from a command and control server every 60 seconds,” wrote Beer in the post. Some of the attacks made use of zero-day exploits, hacks that a smartphone manufacturer itself is not aware of (in this case Apple). The attack itself was quite primitive and simply restarting the iPhone would disable the attack as the hack was not persistent. Rebooting an iPhone would wipe the malware, but given the scale of the information that was acquired even in one go, it would be enough to give hackers access to other services like WhatsApp and iMessage.

How it was detected

Ian Beer from Google’s Project Zero wrote that they became aware of the problem when Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites. Turned out that these hacked websites were being exploited and used in attacks against their visitors. TAG was able to pick out five separate websites and unique iPhone exploit chains that covered every software version from iOS 10 all the way to iOS 12. The websites started picking on iPhones from around September of 2016 and were active all the way until January 2019 until Apple was notified and the long list of vulnerabilities were patched. In all, there were about 14 vulnerabilities across five exploit chains. The Project Zero team reported the issues to Apple after which the iPhone maker released an unusual iOS 12.1.4 software update to affected iPhones that ranged from the iPhone X to the iPhone 5S. Perhaps what is most interesting about the hack was how indiscriminate it was in the sense that simply visiting an exploited website would be enough to get an iPhone hacked. There’s no need for a special link like in most cases where malware is implanted. More importantly, it also shows how patient the hackers behind these attacks can be. Indeed, the only way to protect yourself from these attacks is to update your iPhone to the latest software. Still, it’s hard to tell whether zero-day exploits even in your current iPhone have been plugged or not until they have discovered by security researchers.