A Google security researcher has discovered a sustained and indiscriminate hacking attack on iPhones that is believed to have been going on for more than two years.
Google Project Zero
Details of the attack are outlined on Google’s ‘Project Zero’ blog (https://googleprojectzero.blogspot.com) by security researcher Ian Beer.
Using hacked websites for the attack
On the blog, Mr Beer highlights how Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites that were being used in indiscriminate ‘watering hole’ attacks against their visitors, using iPhone 0-day. Watering hole attacks are where the browsing patterns of particular groups are observed in order to lay a trap e.g. hack a website that the particular group visits and 0-day vulnerabilities in software are those that are either unknown or known and not patched.
Mr Beer’s TAG team noted that there has been no target discrimination for the attack but a simple visit to a hacked website appears to be enough for the exploit server to attack a person’s device, leading to the installation of a monitoring implant.
How many iPhone users have been affected?
Mr Beer’s team estimate that the hacked websites receive thousands of visitors per week. Also, given that the hack has been operating for more than two years, and that TAG was able to identify five separate, complete and unique iPhone exploit chains that cover almost every version from iOS 10 through to the latest version of iOS 12, large numbers of iPhone users could potentially be affected.
12 security flaws
Mr Beer’s team identified 12 separate security flaws (mostly bugs within the Safari default web browser on Apple products) that could be used to compromise the Apple devices.
Reported to Apple – patch released
The TAG researchers reported the issues to Apple with a 7-day deadline on 1 February 2019 and shared the complete details of the research with Apple. This led to the release of the security update iOS 12.1.4 on 7 Feb 2019.
What does this mean for your business?
It is worrying to think that this kind of hack has been going on for years before it was discovered and owners of Apple devices may be particularly surprised given the security features of their phones and Apple’s reputation for offering relative safety from concerns about viruses and hacking.
If you have an iPhone, the advice is to make sure that it is running the latest version of iOS. Go to ‘Settings’, tap ‘General’ and under ‘Software Update’ check that you are be running iOS 12.4.1. which has the fix.