Google security researcher warns that hackers are using malicious websites to exploit iOS flaws and monitor iPhone users
Hackers are using compromised websites to install "monitoring implants" on iPhones, warns a security researcher from Google's Project Zero.
Taking advantage of vulnerabilities in iOS and Safari, hackers are able to target devices running everything from iOS 10 to iOS 12, accessing contacts, images and other data. It is claimed that the practice has been going on for years, and that "simply visiting the hacked site [is] enough for the exploit server to attack your device".
- Apple apologizes for having contractors listen to Siri recordings and announces privacy changes
- Apple puts the kibosh on vulnerability that let iPhone users jailbreak iOS 12.4
- Privacy: Google stops transcribing Assistant recordings and Apple stops listening to Siri recordings
Writing on the Project Zero blog, security researcher Ian Beer describes how Google's Threat Analysis Group (TAG) discovered a small collection of hacked websites earlier this year that were being used to target iPhone users. He writes: "The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day". If attacks were successful, they would "install a monitoring implant".
In what he describes as "a very deep dive into iOS Exploit chains found in the wild", Beer breaks down five separate iOS instances. He warns that they offer the "capability to target and monitor the private activities of entire populations in real time".
Sharing details of an investigation into "the real-world workings of a campaign exploiting iPhones en masse", Beer writes:
Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.
Beer links to a series of highly detailed write-ups of the exploits, and while Apple fixed the vulnerabilities in question earlier this year, it's worth noting that not every iPhone owner updates their software in a timely fashion. He criticizes Apple, saying that in at least one case, "testing and verification processes should have identified this exploit chain".
Check out the full report over on the ProjectZero blog.