Apple’s security vulnerabilities are headline news all over again. Just days after its highly-publicized emergency iPhone patch, Google’s security researchers have published a “website hack” disclosure that is a hammer blow to the locked down security reputation of the Cupertino tech giant. And as security warnings go, this one is much worse.
Google’s Project Zero team have disclosed that a number of “hacked websites” were being used to attack iPhones for two years. And every single up-to-date iPhone was vulnerable.
“There was no target discrimination,” the researchers reported, “simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
Google’s research team “was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.”
To recap, because that disclosure is extraordinary:
The malicious websites were in operation for at least two years, and every iPhone running iOS through iOS 12 was vulnerable to attack. In reality, that means pretty much every iPhone was vulnerable that entire time.
There were multiple “exploit chains” in place, designed to attack multiple “security flaws.” In doing so, the attackers were able to get highly privileged access to core parts of the iPhone operating system which enabled malware to be installed and user data to be accessed. An attack could have devastating consequences. Accessing photos and messages, stealing login credentials and banking passwords, even accessing location information. And those passwords could have stored in the system, not scraped as a website was being accessed.
The five exploit chains are detailed in Google’s disclosure, along with test results from an infected device to examine how that infection might work in practice.
The issues were fixed by iOS update 12.1.4.
“Real users,” the Google disclosure warns, “make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you’re being targeted.”
The problem for Apple is that this will undermine confidence in the security of the brand. So severe is this disclosure, so damaging and intrusive the nature of the vulnerability, that it will leave users asking questions about how such a serious range of flaws could have been left open.
In my view, the speediness of the company’s response to the jailbreak issue (as well as the Zoom issue and even the recent Siri issue), was a reason to maintain confidence in the brand. This disclosure could well undermine that—not because of the response, but because of the severity of the vulnerability.
The other question this raises, of course, is that if these exploits were in place for two years before being found, what else is out there that we don’t yet know about.
“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly,” Google said in its disclosure, “treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”
The disclosure was published late on the day that Apple announced the launch date for the upcoming iPhone 11. Purely by coincidence, of course.
No comment on any of this as yet from Apple.
As for advice to the millions of users worried at this news? Clearly update right away—this issue was fixed, but others will have been found since. Take care with websites that are visited and apps that are downloaded. And always use common sense. Smartphones are the keys to our digital kingdoms, and should be treated as such.