Researcher at Google’s external security team has unveiled an exceptional iPhone hacking operation which targeted more than thousands of users per week until it was interrupted in January. A two and a half years long operation used a small group of hacked websites to transmit malware on to the iPhones of visitors. Only by visiting the websites without any interaction, the users were compromised. Some of the techniques used by hackers affected even fully updated phones.
Upon being hacked, the user’s confidential information was revealed to the attackers. It is hard to believe, but the users’ location was uploaded every minute; their device’s keychain, enclosing all their passwords, was uploaded, so were their chat histories on popular apps including Telegram, WhatsApp, and iMessage, their address book, and their Gmail database.
The good news is that the implant was not permanent: once the phone was restarted, it was deleted from memory unless user visited the compromised site again. However, a security researcher at Google Ian Beer said that considering the breadth of information stolen, the attackers might nonetheless be able to continue permanent access to several accounts and services by using the stolen authentication tokens from the keychain, even if they lose access to the device afterward.
Beer who is a member of Project Zero, a group of white-hat hackers inside Google, work to find security weaknesses in popular tech, no matter who produces it. The team has become scandalous for its extreme approach to revelation: it reports a bug to the victim after 90 days, and it will publish the details publicly, whether or not the virus has been removed in the meantime.
Altogether, 14 bugs were used for the iOS attack across five different “exploit chains” – strings of flaws connected together in a manner that a hacker can jump from bug to bug, enhancing the severity of their attack every time.
The experts have warned that the users should be cautious of the fact that mass misuse still exists and act accordingly; treating their mobile devices as both essential to their lives, but also as devices which when compromised, can reveal their every action into a database that can possibly be used against them.
On 1 February, Google had informed the security issues to Apple which then released an operating system update which addressed the flaws on 7 February ☠