Security researchers at Google’s Project Zero have discovered what they say “may be one of the largest attacks against iPhone users ever.” The foundation of the attacks is a series of hacked websites that have been reportedly distributing malware to random iPhone users.
Ian Beer of Project Zero released a blog post in which he explained the attacks were done with “no target discrimination” towards users and that they were completely random. Users could have been affected just by visiting one of the hacked websites, which were reportedly being visited thousands of times a week.
Google’s Threat Analysis Group detected a complete set of five separate and complete iPhone exploit chains affecting iOS from iOS 10 through to all versions of iOS 12. This means that the exploit was happening across a few years. “This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” Beer wrote.
Once users visited one of the hacked sites with their iPhone and they were infected with the malware. The implant would primarily focus on uploading live user location data and stealing files from the iPhone. It reportedly did this up to once a minute. Given that the device itself was compromised, other services - such as iMessage - were affected by the malware.
“Working with TAG, we discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes. Initial analysis indicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery.”
-Ian Beer, Researcher at Google Project Zero
According to Beer, Project Zero reported the issues to Apple. The issues were fixed with the release of iOS 12.1.4.
While they did fix the issues, Apple took issue with Google reporting them and, in their words, “creating the false impression of mass exploitation” even though that wasn’t the case. Apple stated that the flaws only affected less than a dozen websites that targeted content aimed at the Uighur community, instead of being as broad as Google made it out to be. Apple also disputes the claim that the exploit lasted for two years, saying that only happened for “roughly two months.”
Apple says that security is a “never-ending journey” and that the security of iOS is “unmatched” but that they also take full responsibility for the end-to-end encryption on their devices. To Apple, the exploit was their fault, but it’s been fixed now and that should be the end of it.