Google Project Zero researchers have uncovered a slew of hacked websites that delivered attacks to iPhones.
The attacks were not targeted: any iPhone that visited one of the websites would receive malware designed to hack into it and gain access to files and steal location data. Google says the sites were operational for years and received thousands of visitors every week.
Project Zero worker Ian Beer shared a blog post outlining the five exploit chains which allowed for a total of 14 vulnerabilities: seven for the iPhone’s web browser, five for the kernel and two separate ‘sandbox escapes.’ In computer security, a ‘sandbox’ typically refers to a mechanism for separating running programs to execute untested or untrusted software. Sandboxes usually control resources tightly and restrict or prevent access to essential system functions.
Project Zero worked with Google’s Threat Analysis Group (TAG), which initially uncovered the websites and vulnerabilities. According to Beer, the exploits covered versions of Apple’s mobile operating system from iOS 10 to the current version of iOS 12.
At least one of the vulnerabilities made use of a zero day exploit. Zero day exploits refer to vulnerabilities that companies — in this case, Apple — aren’t aware of. In other words, the company has zero days to find a fix.
Google warned Apple of the vulnerabilities in February, and the company has since fixed the issues, according to Beer.
Exploits stole files, location data and gained keychain access
Once the attack successfully exploited an iPhone, it could deploy malware on the device. Beer wrote that the malware implant primarily focused on stealing files and uploading location data.
It also accesses the user’s keychain, which contains passwords and databases of end-to-end encrypted messaging apps like Telegram, WhatsApp and iMessage. While the encryption on these apps can protect messages in transit, it doesn’t protect messages if a hacker compromises one of the end devices.
Thankfully, the malware doesn’t have persistence. In other words, if you reboot your iPhone, it wipes the malware. However, the infection can still provide plenty of sensitive data to attackers and, thanks to the keychain access, allow attackers to maintain access to various accounts and services.
Beer writes that the attack indicates “a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.”
This doesn’t mark the first time Project Zero has uncovered iPhone vulnerabilities, but past exploits were, by nature, more targeted. Typically, attackers had to send a text message to the target, often with a malicious link.
iPhone exploits like this are worth a lot of money as well, as much as $2 to $4 million USD (about $2.7 million to $5.3 million CAD), according to CrowdFense.