Malicious Websites Have Been Quietly Hacking Your iPhone for Years

Researchers at Google’s Project Zero have been finding some serious security flaws in iOS recently — most of which have thankfully already been patched by Apple — but they may have now just discovered the biggest and most pervasive set of attacks ever found.

According to Motherboard, the team of researchers have uncovered a collection of hacked websites that have been taking advantage of security flaws in iOS for years, not only designed explicitly to hack iPhones, but also to do so indiscriminately.

Most exploits used against iOS security flaws require a targeted attack. For example, recent flaws discovered in iMessage could expose personal data, but still required somebody to actually send an iMessage to your phone specifically — meaning you needed to be on someone’s list.

By contrast, this attack lurks on dozens of hacked sites, simply waiting for you to visit from your iPhone (or iPad), at which point monitoring implants can be installed on your device, potentially exposing personal data to the attacker.

There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.

Ian Beer, security researcher, via Google Project Zero

Zero Day Exploits

As the name implies, the whole mission of Google’s Project Zero team is to hunt down “zero-day” vulnerabilities — that is, those that are not already known to platform developers like Apple and can therefore be exploited before the companies have time to fix them.

Since the iPhone is relatively hard to hack, zero-day exploits for the iPhone are rare, but not unheard of, and are therefore extremely valuable to hackers — often fetching prices of up to $3 million on the black market for a single “full exploit chain” of a current iOS version.

In the case of this latest batch of exploits, Google’s Ian Beer notes that the firm’s Threat Analysis Group (TAG) was able to collect “five separate, complete and unique iPhone exploit chains” that affected iOS 10 through iOS 12, and demonstrated that there is a group out there “making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.”

A Massive Hacking Campaign

While all of the exploits have since been patched — the most recent ones were fixed in the iOS 12.1.4 update back in February after Project Zero researchers notified them — the real issue is that this exposes what Beer refers to as “a campaign exploiting iPhones en masse.”

These weren’t minor vulnerabilities, either. Once the attack was able to exploit the iPhone, malware was deployed that could steal files and upload live location data, as directed by a remote server. Essentially, it was a bot-style implant that “phoned home” to a control server every 60 seconds looking for instructions on what to do.

Even more frighteningly, the implant also had at least some access to the device keychain, which then allowed access to passwords and databases of encrypted messaging apps, such as Telegram, WhatsApp, and iMessage.

The one slight glimmer of good news in all of this is that the implant wasn’t persistent — it would be rendered inoperative as soon as you reboot your iPhone — but it could still deliver a lot of sensitive information before that, and hackers could of course still access cloud-based accounts using passwords and credentials they already siphoned from your iPhone in the initial attack.

What This Means for You

Although Apple takes security much more seriously than most other smartphone makers, no system is completely invulnerable, and we’ve seen enough security flaws in iOS in recent months to know this. Apple patches security flaws as quickly as it can — the last zero-day exploit in this particular instance was fixed less than seven days after Apple was notified of it — but as Beer writes, it’s important that users “be conscious of the fact that mass exploitation still exists and behave accordingly” and recognize that their mobile devices can, if compromised “upload their every action into a database to potentially be used against them.”

All of these flaws discovered by Project Zero have long been patched — as long as you’re running iOS 12.1.4 or later — but of course this is just one campaign, and there may be others that are yet to be discovered by security researchers, taking advantage of flaws that Apple doesn’t know about yet; Apple has expanded its bug bounty program to offer bigger payouts as incentives for researchers to come forward with these exploits so it can fix them before they get into the hands of malicious hackers, but the amount Apple is offering — up to $1 million per exploit — is peanuts compared to what unethical researchers can get by selling those same exploits on the black market.

Protecting yourself from such exploits involves developing and maintaining a series of good security habits:

• Be cautious about visiting unknown websites. While any website can be hacked, more established websites generally have better security and auditing to prevent and catch intrusions like this.
• Don’t Open Messages from Unknown Senders. While this exploit involved visiting websites, most of the others ones we’ve seen recently come from malformed iMessages hoping to catch curious users.
• Use different passwords for different services. Especially for things like online banking, email accounts, and your Apple ID. This way one intercepted password doesn’t become a key to unlock your entire kingdom.
• Change your important passwords regularly. If a hacker gets access to a list of passwords, they’re less likely to be useful in the longer term. Mass exploit campaigns like this collect a lot of data and therefore rarely use it immediately after its collected.
• Avoid storing passwords in the keychain for extremely sensitive accounts. No malware can retrieve a password that’s only stored in your own head.
• Restart your iPhone regularly. It’s much easier for malware to live in memory than to be set up persistently on your iPhone, so restarting your iPhone on a regular basis will help to ensure this stuff is cleaned out.
• Always Keep iOS Up to Date. Every single iOS update we’ve seen in the past few years has patched at least a few security flaws, and more recently, these have become even more serious. Users who delay updating to the latest iOS version — especially minor point releases — in the name of “avoiding bugs” are doing themselves more harm than good.