Data Driven Futures

Google uncovers ‘sustained’ iPhone hack

Written by Hannah McGrath
30/08/2019

A team of security researchers at Google claims to have uncovered hackers trying to access iPhones in an attempted attack that has lasted at least two years.

Writing in a series of blogs, cybersecurity expert Ian Beer, a member of Google’s Project Zero security taskforce, said that a “sustained effort” had been identified to use websites to harvest contacts, images and data stored on iPhones. The hackers implanted the websites with malicious software.

In the blog posted yesterday, Beer wrote: “Threat Analysis Group discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone.”

The attack was not targeted at specific users, the researchers found, highlighting that simply visiting a hacked site was enough for an attack to infiltrate the user’s device.

The post said that these sites received thousands of visitors per week. The hackers attempted to exploit vulnerabilities in Apple’s operating systems from version iOS 10 to iOS 12.

“This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” the post read.

The Project Zero team notified Apple of their discovery on 1 February, with a security patch issued six days later.

Beer added that the fact the attempted hacks had been uncovered by Project Zero represented “a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen”.

He warned that the reality remains that security protections will never eliminate the risk of attack if someone is being targeted.

“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly,” he said, adding: “Treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”

Apple did not immediately reply to a request for comment.

Wicus Ross, senior researcher at SecureData, commented that thankfully most iPhone users accept software updates and patch frequently.

“However, there are a small percentage of users that do not upgrade to new versions of iOS or even apply security patches - these seem to stay constant over time and relate to older iPhone/iPad device models - and it is these users that are much more likely to be affected by such a type of sustained broad-spectrum attack.

“The Google Project Zero blog post did not reveal much about the compromised web sites besides the ballpark number relating to site visitors,” added Ross. “We don’t know what percentage of iOS users make up that number, but this is probably irrelevant, what is more important is that these types of attacks were happening.

“Based on the numbers that we have, it is very likely that a similar campaign targeting Android devices will be much more successful; our research shows that Android users patch behaviour leaves much to be desired.”