Google security researchers are claiming that they have found a number of malicious websites that could hack into Apple’s iPhones by exploiting undisclosed software flaws.
TechCrunch reports that in a recently published blog post, Google’s Project Zero security research team claims that websites that were visited thousands of times per week were taking part in an “indiscriminate” cyberattack that attempted to install monitoring software on users’ Apple devices. Ian Beer, a security researcher at Project Zero, stated: “Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
The websites had reportedly been hacking iPhones for “a period of at least two years.” Researchers discovered at least five distinct exploit chains that involved 12 separate security flaws, seven of which are found in the iPhone Safari browser. The hacks allowed attackers to gain root access to users’ iPhones meaning that they had access to the highest level of privilege on the iPhone.
Google stated that according to their analysis, the vulnerabilities were used to steal users photos and messages and could track a users location in near-realtime. Google disclosed these vulnerabilities in February giving Apple one week to fix the issues and roll out an update. Six days later, Apple released an update with iOS 12.1.4.
Google’s blog post on the issue includes:
detailed write-ups of all five privilege escalation exploit chains;
a teardown of the implant used, including a demo of the implant running on my own devices, talking to a reverse-engineered command and control server and demonstrating the capabilities of the implant to steal private data like iMessages, photos and GPS location in real-time, and
analysis by fellow team member Samuel Groß on the browser exploits used as initial entry points.
Read the full blog post here.