Google Discovered Malicious Websites Used to Hack iPhones for Years
Apple likes to talk up its focus on security and privacy, but iPhone owners have unknowingly been targets of an indiscriminate and severe hacking campaign for at least two years. Google’s Project Zero team uncovered the scheme, which used websites loaded with unpatched exploits to install malware on iPhones that could track user locations, steal files, and more. Apple patched the flaws after they were reported, but we’re only now finding out the scale of the attack.
According to Google, its researchers discovered the malicious websites in early 2019. Currently, the team believes the network of hacking sites had been operating for more than two years, attracting thousands of visitors per week. Unsuspecting iPhone users who visited the pages would come away with malware running as root on their devices — that’s the highest level of software privileges that even the device owner doesn’t have on iOS.
Project Zero researchers identified five different exploit chains in the wild, leveraging 12 distinct security flaws. Seven of them involved the Safari browser engine, which even third-party browsers have to use. This wasn’t just targeting some archaic version of iOS, either. The attacks covered almost every version of iOS 10 through the latest iOS 12. After implanting the malware on iPhones, attackers could track user locations, copy photos, and even access the user’s on-device password storage.
Again, this all happens silently in the browser. For all the fretting over malicious code popping up in apps for both Android and iOS, this is much more severe because the attackers don’t have to trick users into installing anything. It’s been a long time since zero-day browser-based hacks like this have shown up in the wild. Years back, there were websites you could visit that would use exploits to instantly jailbreak iPhones. Modern security practices ended easy browser hacking, or so we thought.
Google reported the flaws privately to Apple in February, but it gave Apple just one week to roll out patches. That’s much shorter than the customary 90-day disclosure timeline. That drives home the seriousness of the attack. Not only is the impact on users severe, but the attackers were also actively infecting thousands of phones per week. Apple rolled out an update (iOS 12.1.4) six days later to fix the flaws.
If there’s any bright spot in all of this, it’s that the attackers didn’t seem to have any particular target. Their victims were anyone unlucky enough to click on the malicious web link. While this hole is patched, the campaign carried on for two years. There could be other active exploits in the wild right now that no one in the security community knows about.
Continue reading
Elon Musk: SpaceX Will Send People to Mars in 4 to 6 Years
SpaceX and Tesla CEO Elon Musk likes to make bold claims. Sometimes he comes through, and we end up with a reusable Falcon 9 rocket, but Musk also has a tendency to get carried away, particularly when it comes to Mars. The SpaceX CEO has long promised a Mars colony on an aggressive, and some…
Astronomers Have Detected a Planet’s Radio Emissions 51 Light-Years Away
The researchers claim this marks the first time an exoplanet has been detected in the radio bands.
One Developer Is Fixing SNES Game Lag After 30 Years
One dedicated developer is releasing 'FastROM' patches to emulate Nintendo's SA1 chip in games that never had it, eliminating the annoying slowdowns that have plagued gamers for almost 30 years.
PC Sales Up 26 Percent in Q4, 13 Percent Year-on-Year
PC sales have skyrocketed in 2020, and the trend should continue into 2021.