Attackers spent two years using breached websites to try to siphon information off thousands of iPhones, researchers from Google said Thursday in a blockbuster disclosure that upends traditional narratives around Apple device security.
Google’s Project Zero detailed malicious activity involving five so-called exploit chains, in which hackers linked together Apple vulnerabilities to infiltrate Apple’s protections. By directing iPhone connections to specific web pages, the attackers proved capable of accessing a device’s kernel and other key parts of the operating system. They were able to secretly install malicious apps, monitor a user’s location or take other action, Google said.
The vulnerabilities affect iOS versions 10 through 12.4. The vulnerabilities were patched in the latest update, iOS 12.4.1.
Google’s research team discovered a total of 14 vulnerabilities, including seven for the Safari browser, five for the kernel and another two sandbox escapes (exploits that enable attackers to reach deeper into a phone than they normally would be allowed).
Google began notifying Apple about its findings in February and, while some of the issues have been patched, others leave still users vulnerable.
“The hacked sites were being used in indiscriminate watering hole attacks” using zero-day exploits for the iPhone, Google’s Ian Beer wrote in a blog post. “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.”
Google’s announcement challenges the prevailing wisdom that Apple devices, particularly the iPhone, are more secure than competitors’ products. While the company generally has an advantage over other mobile providers — thanks to a closed system which allows Cupertino to exercise control — this disclosure demonstrates that attackers can find ways around those safeguards.
A close look at the operation also proves the attackers relied on a monitoring tool that enabled them to spy on a device’s GPS signal, conversations in Google Hangouts, access their photos and slip into end-to-end encrypted apps like iMessage, WhatsApp and others. By covertly hacking iPhone users, this monitoring implant undercuts the end-to-end encryption on those programs and reveals the messages sent back-and-forth.
Hackers also planted the same implant in password keychain services like the tool that makes it possible for users to stay logged into their account while accessing other apps. That convenience becomes a weapon in the hands of an intruder.
“The keychain also contains the long-lived tokens used by services such as Google’s iOS Single-Sign-On to enable Google apps to access the user’s account,” according to the Project Zero research. “These will be uploaded to the attackers and can then be used to maintain access to the user’s Google account, even once the implant is no longer running.”