Apple has made user privacy and security one of the biggest selling points of its devices. The Cupertino has made it incredibly difficult for hackers to break into iPhones and steal user data. But it’s not impossible because hackers are almost always coming up with new ways to hack iPhones. A Google security researcher has disclosed that some malicious websites have been hacking iPhones for at least a couple of years. Apple fixed it only in February this year.
How malicious sites were hacking iPhones
Ian Beer, a security researcher at Google’s Project Zero team, said in a blog post that they have found a handful of hacked websites that could install malware on your iPhone when you visit them. The visitor didn’t need to take any action for the malware to be installed on the device. Just visiting one of the hacked sites allowed the exploit server to target your iPhone.
Motherboard, which first reported the hack, said it could be “one of the largest attacks against iPhone users ever.” Google said these hacked websites were visited thousands of times a week, which suggests a lot of iPhone users might have fallen victims to the hack.
The malicious websites were not targeting a specific individual or group. As long as you are an iPhone user and you visit one of the sites, they would install a “monitoring implant” on the device. The implant focused on stealing sensitive data such as photos, iMessages as well as uploading your live location. It requested data every 60 seconds.
According to Ian Beer, the implant could also access your keychain, which is where all your passwords are stored. Since the implant has compromised the device itself, it could also access the databases of end-to-end encrypted messaging apps like WhatsApp, Telegram, and iMessage, and others. Rebooting the iPhone wipes off the malware. But by the time you reboot, the hackers might have stolen all your sensitive data. They transfer all the data to servers unencrypted.
Google’s Threat Analysis Group discovered a total of 14 vulnerabilities that affected iPhones running iOS 10 through the latest version of iOS 12. Google researchers identified five different iPhone exploit chains based on fourteen vulnerabilities. At least one of them was a zero-day exploit chain.
An exploit is referred to as “zero-day” when the impacted company is not aware of it and has zero days to find a fix. The zero-day exploits are worth gold to hackers. Since the vendor (Apple in this case) is not aware of the vulnerability, it hasn’t been fixed, allowing hackers to effectively break into a device.
Google’s Project Zero team informed Apple about the attacks on February 1, 2019 with a 7-day deadline. Apple fixed it via iOS 12.1.4 update on February 9. The 12.1.4 update also fixed the FaceTime eavesdropping bug and a bunch of other issues.
Ian Beer said the attacks indicated the hackers were making “a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.” While Apple has fixed all the vulnerabilities reported by Project Zero, Beer said it’s possible that attackers might be currently using other exploits for hacking iPhones.
The Cupertino company has been incentivizing security researchers and hackers to report bugs in its software. Recently, Apple increased the maximum bug bounty payout to a staggering $1 million for researchers who could find flaws that give hackers root-level access to an iPhone without any action on the user’s part.
Apple apologizes to Siri users
Apple’s credibility as a company committed to user privacy came into question recently when The Guardian revealed that the company was allowing its employees and third-party contractors to listen to your Siri recordings to help improve its AI assistant. The contractors would hear all sorts of recordings including confidential medical information, drug deals, and couples having sex.
The tech giant has issued a public apology for letting contractors listen to your secret recordings. It has also promised changes to its Siri grading program, including allowing only Apple employees to listen to your Siri interactions. “We realize we haven’t been fully living up to our high ideals, and for that we apologize,” said Apple.