Google Discovered Malicious Websites Used to Hack iPhones for Years

Google Discovered Malicious Websites Used to Hack iPhones for Years

Apple likes to talk up its focus on security and privacy, but iPhone owners have unknowingly been targets of an indiscriminate and severe hacking campaign for at least two years. Google’s Project Zero team uncovered the scheme, which used websites loaded with unpatched exploits to install malware on iPhones that could track user locations, steal files, and more. Apple patched the flaws after they were reported, but we’re only now finding out the scale of the attack.

According to Google, its researchers discovered the malicious websites in early 2019. Currently, the team believes the network of hacking sites had been operating for more than two years, attracting thousands of visitors per week. Unsuspecting iPhone users who visited the pages would come away with malware running as root on their devices — that’s the highest level of software privileges that even the device owner doesn’t have on iOS.

Project Zero researchers identified five different exploit chains in the wild, leveraging 12 distinct security flaws. Seven of them involved the Safari browser engine, which even third-party browsers have to use. This wasn’t just targeting some archaic version of iOS, either. The attacks covered almost every version of iOS 10 through the latest iOS 12. After implanting the malware on iPhones, attackers could track user locations, copy photos, and even access the user’s on-device password storage.

Again, this all happens silently in the browser. For all the fretting over malicious code popping up in apps for both Android and iOS, this is much more severe because the attackers don’t have to trick users into installing anything. It’s been a long time since zero-day browser-based hacks like this have shown up in the wild. Years back, there were websites you could visit that would use exploits to instantly jailbreak iPhones. Modern security practices ended easy browser hacking, or so we thought.

Google Discovered Malicious Websites Used to Hack iPhones for Years

Google reported the flaws privately to Apple in February, but it gave Apple just one week to roll out patches. That’s much shorter than the customary 90-day disclosure timeline. That drives home the seriousness of the attack. Not only is the impact on users severe, but the attackers were also actively infecting thousands of phones per week. Apple rolled out an update (iOS 12.1.4) six days later to fix the flaws.

If there’s any bright spot in all of this, it’s that the attackers didn’t seem to have any particular target. Their victims were anyone unlucky enough to click on the malicious web link. While this hole is patched, the campaign carried on for two years. There could be other active exploits in the wild right now that no one in the security community knows about.

Continue reading

Intel Quietly Removes ‘Q1’ References from its Website for Arc Graphics Launch
Intel Quietly Removes ‘Q1’ References from its Website for Arc Graphics Launch

The meme that goes, "You were supposed to destroy them, not join them" is appropriate here.

White House Launches Website to Help People Deal With Heatwaves
White House Launches Website to Help People Deal With Heatwaves

HEAT.gov houses an almost overwhelming amount of information about extreme heat, from tips to visual tools.

Pro-Russia Hackers Claim DDOS Attacks Against US Airport Websites
Pro-Russia Hackers Claim DDOS Attacks Against US Airport Websites

The attacks, which started early Monday, have impacted several major travel hubs including Los Angeles International Airport (LAX), Hartsfield-Jackson Atlanta International Airport (ATL), Phoenix Sky Harbor International Airport (PHX), and Orlando International Airport (MCO).

Tax Filing Websites Caught Sending Users’ Financial Data to Facebook
Tax Filing Websites Caught Sending Users’ Financial Data to Facebook

Filing status, dependent names, adjusted gross income...once it's on any of these three websites, it's likely in Facebook's hands.