Thousands of iPhones attacked just by visiting hacked websites

According to a new report, websites attacked iPhones for years on an unprecedented scale.

This week, Vice reported that hacked websites have been delivering attacks aimed at infiltrating iPhones. Researchers at Google uncovered the malware attacks, and believe they may mark one of the biggest assaults against iPhone users ever.

There were no specific targets of the hack, which is unusual. It was previously thought that iOS hacking was an expensive and precise endeavor, often handled by nation-states, not rogue hackers.

But in this case, users could be attacked simply because they visited a particular website. In a blog post, Ian Beer of Google’s Project Zero writes, “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.”

These attacks were often particularly effective because they made use of so-called “zero-day exploits,” meaning that they found a vulnerability Apple was unaware of; the company had no time to find a fix.

Once the exploit was found, hackers could then deploy malware onto phones. Beer’s team found that this malware “is primarily focused on stealing files and uploading live location data.” The malware targeted user keychains, where passwords and encrypted messaging data, such as that used by WhatsApp and iMessage, are stored. Once deployed, data was being uploaded from phones as frequently as once a minute.

Google’s Threat Analysis Group found five iPhone exploit chains — functionally maps of vulnerabilities — that affected iOS 10 through iOS 12. This means that the hacking effort lasted for at least two years.

The scope of this attack is of particular interest to the tech community because it demonstrates that iPhone hacking is cheaper and easier than was previously thought. In Wired‘s reporting on the issue, experts concede that hacking that was once thought to be expensive, targeted, and often state-sponsored, was deployed on a mass scale in this instance.

This attack will likely send shockwaves through the tech security industry, as it already being talked about as a “wake-up call.”

In its report, Google declined to name the websites that acted as a “watering hole” to spread the malware.

The good news? The vulnerabilities were fixed with the release of iOS 12.1.4 on February 9, 2019.

 

 

 

Brenden Gallagher

Brenden Gallagher

Brenden Gallagher is a politics reporter and cultural commentator. His work has been published by Motherboard, Complex, and VH1. He’s the co-founder of Beer Money Films, an indie production company. Based in Los Angeles, he works in television drama as a writers assistant.