Google security researchers for the company’s Project Zero have recently revealed in a deep-dive blog post that they found a number of malicious websites that were capable of hacking into iPhones and exploit some software flaws.
The websites in question, according to the Project Zero team, were visited for thousands of times every week by victims.
“There was no target discrimination” Ian Beer, Project Zero security consultant, has said. “Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
These websites allowed the attackers to access pretty much any credentials or certificates that they could find within the iPhone, even databases of what are mostly regarded as secure messaging apps like WhatsApp and iMessage. In addition to gaining access to messages, the attackers could also look through the users’ personal files and get a hold of their real time location data.
While these sort of attacks are targeted, this one wasn’t – anyone who visited the websites could be attacked and have an implant installed to their device.
They could get rid of this implant if they rebooted their phone but even so, as the attack had its sights set on the smartphone’s keychain, it meant that the attackers could still get a hold of the authentication token and continue to maintain access even after the implant had been eliminated.
Altogether, Project Zero found 14 vulnerabilities over five different exploit chains and iOS versions 10 through 12 were affected by them, which means that the attackers have been using them over at least two years, on unsuspecting iPhone users.
The team contacted Apple about the issue back in February and the company was quick to fix the vulnerabilities with the iOS 12.14 update. However, Project Zero still believes others might still exist that haven’t been discovered yet.
“Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you’re being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group.” Beer says in his post and adds that “All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”