Security researchers at Google uncovered a “sustained” — at least two years — and indiscriminate campaign to hack iPhones through certain websites, allowing attackers to steal messages, files and track location data every 60 seconds.
In a deep-dive blog post published Thursday evening, Ian Beer, a security expert on Google’s Project Zero, detailed how hackers had been using malicious websites to exploit an iPhone software vulnerability. The post did not name the websites nor say how many people were affected.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” Beer wrote. “We estimate that these sites receive thousands of visitors per week. ”
The implant also collected password keychains, messages, address books and other personal information from users’ apps, including WhatsApp, Telegram and Gmail.
This type of widespread yet random attack is rare, and it may be one of the biggest attacks ever on iPhone users. But there was a limit to the malware’s power — it was erased if the iPhone was restarted, freeing the user unless they returned to one of the malicious websites.
Apple did not immediately respond to a request for comment from The Washington Post.
As Google’s external security team, Project Zero researchers are dispatched to find all manner of weaknesses in popular technology. Since it was created in July 2014, the team has found and reported nearly 1,600 hardware and software vulnerabilities. But Project Zero has taken heat for its tough tactics: After reporting a bug, the team gives the vendor 90 days to fix it before Project Zero discloses the details publicly. (In some cases, Google will offer an additional 14-day grace period.)
Google contends that the hard deadline produces the best results. Earlier this month, Project Zero said that about 95.8 percent of the bugs it finds and reports are patched before the 90-day deadline.
But when Project Zero informed Apple of the breach on Feb. 1, it gave the company seven days to fix it, citing the need for urgency. The iPhone maker released iOS 12.1.4 on Feb. 7.
Apple is notoriously guarded with its products, shielding them from even well-meaning hackers looking to probe iOS vulnerabilities. But the company gradually opened its products up to researchers, and it recently announced plans to release a hacker-friendly phone to certain experts in the interest of uncovering vulnerabilities more quickly.
At the Black Hat security conference in Las Vegas earlier this month, Apple’s head of security engineering said the company will pay as much as $1.5 million for a “bug bounty” to any researcher who discovers iOS attack techniques and discreetly reports them to Apple.
In the blog post, Beer wrote that he didn’t want to try to put a price tag on the attacks but said that “$1 million, $2 million, or $20 million” seemed low, given the attackers’ ability to “monitor the private activities of entire populations in real time.”
And while this operation ultimately failed as it was discovered by Project Zero, Beer made it clear that there are almost certainly hackers more lurking and preying on people.
“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”
Dig Deeper: Personal tech + Privacy
Want to learn about how to keep your personal information private? Check out our curated list of stories below.
Americans receive more than 5.2 billion automated calls in a month. But there are new apps to help stem the deluge.
As tech columnist Geoffrey Fowler slept, a dozen marketing companies used his iPhone to learn his number, email, location and IP address.
Changing privacy default settings means you’ll get less personalization from some services, but it can slow down the number of eerie on-the-nose ads driven by data siphoned by major companies.