Project Zero, a group of Google security analysts detecting and exploring zero-day vulnerabilities in popular software products, has reported a long-time hack in iPhones that helped crooks steal users’ personal data – and even track their location in real time.
According to the project’s white hat hacker, Ian Beer, Google's Threat Analysis Group has discovered a “small collection” of hacked websites earlier this year, which were being used to embed malicious exploit chains into iPhones by taking advantage of poorly-written or little-tested portions of the code.
“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” he wrote on the Project Zero blog Thursday.
These websites are estimated to receive thousands of visitors every week, but it is not clear whether all visitors were hijacked.
Google analysts have detected five separate iPhone exploit chains that worked with almost every version from iOS 10, released in September 2016, to iOS 12, launched in September 2018 – meaning that a mystery group was trying to hack iPhone users over a period of at least two years.
They discovered a total of 14 vulnerabilities targeting iPhone's web browser, kernel and sandbox security mechanism.
The exploits were being used to upload unencrypted files from popular messaging services such as WhatsApp, Telegram, Hangouts, iMessage and Gmail, as well as transcripts of conversations in these apps, to the attacker’s server.
They were also able to copy the user’s complete contacts database and photos and track the user’s location in real time if the device was online.
The malicious websites may still have enjoyed unauthorised access even when the vulnerability was removed from the phone.
“Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device,” Beer said.
He highlighted that Apple was made aware of the hack in February 2019, and patched it days later.
“Let’s also keep in mind that this was a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen,” he warned.
On Monday, Apple issued an emergency security fix after it had unknowingly re-opened a previously-fixed security bug, which allowed a current generation iPhone to be jailbroken and hacked.
And just two weeks ago, Google announced it was aware of over 4 billion unsafe usernames and passwords, meaning that thousands of people are using passwords that have been hacked.