Google Uncovers Major iPhone Security Flaw That Left Users Vulnerable For Years
A member of Google's Project Zero
security team has written a lengthy blog post detailing a series of iOS
exploit chains discovered in the wild. According to Project Zero's findings, a hacking group underwent a "sustained effort to hack the users of iPhones" for a period of at least two years. This was accomplished through hacked websites.
Project Zero member Ian Beer says Google's
Threat Analysis Group (TAG) discovered a small collection of hacked websites that were used in "indiscriminate water hole attacks" against iPhone users, by way of a zero-day
"Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week," Beer wrote.
Working with TAG, the Project Zero team discovered 14 vulnerabilities across five exploit chains. Seven of those applied to Safari, the default web browser on iOS devices, five more applied to the iOS kernel, and there were two separate "sandbox escapes."
Beer's blog post takes a very deep dive into the exploit chains, but the takeaway is this: for a period of two years or more, a fully patched iPhone was susceptible to drive-by attacks that could expose a user's contacts, photos, iMessage communications, and data from apps, including ones like WhatsApp
, Gmail, and Hangouts. The implanted malware could even track a user through real-time GPS data.
It's a frightening discovery, given that simply visiting a hacked website is all it took to be compromised. To Apple's
credit, it fixed the issues promptly after being made aware.
"Initial analysis indicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery (CVE-2019-7287 & CVE-2019-7286). We reported these issues to Apple with a 7-day deadline on 1 Feb 2019, which resulted in the out-of-band release of iOS 12.1.4 on 7 Feb 2019," Beer wrote.
If you own an iPhone, the best thing you can do right now is ensure you're running the latest version of iOS. You can check which software version your are running by heading to Settings > General > About and looking at the Software Version. To actually check if an update is available, however, head to Settings > General > Software Update.