A new report from Vice today details discoveries made by Google Project Zero researchers that “may be one of the largest attacks against iPhone users ever.” The basis of the attacks is a series of hacked websites, which were randomly distributing malware to iPhone users.
In a blog post, Project Zero’s Ian Beer explained that there was “no target discrimination” when it came to this series of attacks. Users could be impacted by simply visiting one of the hacked sites, which were said to be receiving thousands of views per week.
Google’s Threat Analysis Group detected a set of five separate and complete iPhone exploit chains affecting iOS 10 through all versions of iOS 12. “This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” Beer wrote.
Once a user visited one of the malicious websites and the malware was deployed, the implant “primarily focused on stealing files and uploading live location data,” as often as every 60 seconds. Because the end device itself had been compromised, services like iMessage were also affected.
Working with TAG, we discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes. Initial analysis indicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery.
Beer says that Project Zero reported the issues to Apple with a 7-day deadline on February 1st, 2019 – and they were fixed in the release of iOS 12.1.4 on February 9th, 2019.
This chain of exploits is unique because many attacks are more targeted in scope, but this one affected anyone who happened to visit one of the infected websites.
To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.
The incredibly detailed analysis of iOS exploit chains found in the wild can be read on Google’s Project Zero blog. Here, Ian Beer goes into more details about the security fixes Apple made in iOS 12.1.4, which included a fix for the FaceTime eavesdropping bug, as well as security issues discovered by the Project Zero team.