Apple likes to talk up its focus on security and privacy, but iPhone owners have unknowingly been targets of an indiscriminate and severe hacking campaign for at least two years. Google’s Project Zero team uncovered the scheme, which used websites loaded with unpatched exploits to install malware on iPhones that could track user locations, steal files, and more. Apple patched the flaws after they were reported, but we’re only now finding out the scale of the attack.
According to Google, its researchers discovered the malicious websites in early 2019. Currently, the team believes the network of hacking sites had been operating for more than two years, attracting thousands of visitors per week. Unsuspecting iPhone users who visited the pages would come away with malware running as root on their devices — that’s the highest level of software privileges that even the device owner doesn’t have on iOS.
Project Zero researchers identified five different exploit chains in the wild, leveraging 12 distinct security flaws. Seven of them involved the Safari browser engine, which even third-party browsers have to use. This wasn’t just targeting some archaic version of iOS, either. The attacks covered almost every version of iOS 10 through the latest iOS 12. After implanting the malware on iPhones, attackers could track user locations, copy photos, and even access the user’s on-device password storage.
Again, this all happens silently in the browser. For all the fretting over malicious code popping up in apps for both Android and iOS, this is much more severe because the attackers don’t have to trick users into installing anything. It’s been a long time since zero-day browser-based hacks like this have shown up in the wild. Years back, there were websites you could visit that would use exploits to instantly jailbreak iPhones. Modern security practices ended easy browser hacking, or so we thought.
Google reported the flaws privately to Apple in February, but it gave Apple just one week to roll out patches. That’s much shorter than the customary 90-day disclosure timeline. That drives home the seriousness of the attack. Not only is the impact on users severe, but the attackers were also actively infecting thousands of phones per week. Apple rolled out an update (iOS 12.1.4) six days later to fix the flaws.
If there’s any bright spot in all of this, it’s that the attackers didn’t seem to have any particular target. Their victims were anyone unlucky enough to click on the malicious web link. While this hole is patched, the campaign carried on for two years. There could be other active exploits in the wild right now that no one in the security community knows about.