iPhone exploits in hacked websites went unnoticed for years
Researchers from Google's Project Zero security initiative on Thursday revealed the discovery of a collection of hacked websites that for years hosted a series of exploits targeting iPhone models up to iPhone X running the current version of iOS 12.
Outlined in a blog post, Google said its Threat Analysis Group (TAG) uncovered the "small collection" of websites earlier this year.
"The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day," writes Project Zero's Ian Beer. "There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant."
Beer estimates the sites receive thousands of visitors per week.
TAG believes the hacks are the work of a bad actor who, over a period of at least two years, conducted an operation to infiltrate select iPhone user demographics targeted by the undisclosed sites. The group found evidence of five unique iPhone exploit chains that cover "almost every version" of iOS from iOS 10 to the current iteration of iOS 12. Impacted iPhones range from iPhone 5s to iPhone X.
In all, Google researchers discovered 14 vulnerabilities impacting iPhone's web browser, kernel and sandbox security mechanism, one of which was a zero-day.
As noted by Motherboard, which reported on Google's findings earlier today, the exploits were used to deploy an implant designed to steal files and upload real-time GPS location data. In addition, the implant accessed a user's keychain, a feature responsible to securely storing passwords and databases of end-to-end encrypted messaging apps like iMessage. It also took copies of Contacts data and Photos, Beer writes.
While the malware is cleaned from an infected iPhone upon rebooting, Beer notes attackers might be able to "maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device." Alternatively, visiting the hacked site would reinstall the implant.
Google informed Apple of the issue on Feb. 1, presenting the company a seven-day window in which to plug the holes. Apple subsequently released a patch with iOS 12.1.4 on Feb. 7 and disclosed Google's findings in an accompanying support document.
Apple's iOS 12.1.4 update also patched a pair of Foundation and IOKit flaws discovered by Google's Project Zero team lead Ben Hawkes. Both zero-day vulnerabilities were used to hack devices in the wild.
Outlined in a blog post, Google said its Threat Analysis Group (TAG) uncovered the "small collection" of websites earlier this year.
"The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day," writes Project Zero's Ian Beer. "There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant."
Beer estimates the sites receive thousands of visitors per week.
TAG believes the hacks are the work of a bad actor who, over a period of at least two years, conducted an operation to infiltrate select iPhone user demographics targeted by the undisclosed sites. The group found evidence of five unique iPhone exploit chains that cover "almost every version" of iOS from iOS 10 to the current iteration of iOS 12. Impacted iPhones range from iPhone 5s to iPhone X.
In all, Google researchers discovered 14 vulnerabilities impacting iPhone's web browser, kernel and sandbox security mechanism, one of which was a zero-day.
As noted by Motherboard, which reported on Google's findings earlier today, the exploits were used to deploy an implant designed to steal files and upload real-time GPS location data. In addition, the implant accessed a user's keychain, a feature responsible to securely storing passwords and databases of end-to-end encrypted messaging apps like iMessage. It also took copies of Contacts data and Photos, Beer writes.
While the malware is cleaned from an infected iPhone upon rebooting, Beer notes attackers might be able to "maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device." Alternatively, visiting the hacked site would reinstall the implant.
Google informed Apple of the issue on Feb. 1, presenting the company a seven-day window in which to plug the holes. Apple subsequently released a patch with iOS 12.1.4 on Feb. 7 and disclosed Google's findings in an accompanying support document.
Apple's iOS 12.1.4 update also patched a pair of Foundation and IOKit flaws discovered by Google's Project Zero team lead Ben Hawkes. Both zero-day vulnerabilities were used to hack devices in the wild.
Comments
The memory of MacOS permission screw-up getting admin or even root permission is still very fresh.
Also consider the public perception when ‘Google researchers’ discover ‘Apple problems’.
- You don't know what Project Zero is. You don't know what they do
- You skimmed the article looking for excuses why these exploits existed and lasted so long.
- Finding none, you decided it would be perfectly fine to inject baseless speculation and disparage the research team
I've always been curious why people do what you did? I think either you completely misunderstood what you read or you intentionally made up some stuff. If it's the former, I'd suggest rereading and clicking on the links to gain understanding. If it's the latter, might I suggest a look in a mirror and ask yourself: what am I thinking?There's a list in the blog.
This is the comment you think is valid? Bruh, lemme get a hit of whatever you're smoking.
That comment is so hyperbolic it almost seems like he's making a parody of the stereotypical Apple Defense Force type of Apple fan.
Fun Fact: Project Zero holds Google themselves to the same general 90-day disclosure deadline as they give every other company.
By the way it's rare that exploits discovered by the Project Zero team are not patched before the 90-day deadlines, despite Microsoft whining about it.
https://www.techspot.com/news/81281-over-95-1600-vulnerabilities-discovered-google-project-zero.html
As an iPhone user I am very pleased that Google is helping to improve my iPhone. But I can't understand why Google can't improve the balance of an their open platform with a safer/more secure platform. Windows 10 is much better in this regard these days.
However, it is extremely impressive that their are people in the world who are so extraordinarily skilled to be able to find and exploit these vulnerabilities. It would be fascinating to see what a state like Russia has been able to do with their hack teams.