Apple users should remain vigilant regarding recent threats, as a new report from Google researchers reveals that iPhones can be compromised simply by visiting seemingly benign websites. This alarming discovery stems from a series of iPhone hacking exploits uncovered by Google’s Project Zero earlier this year. The researchers identified at least five unique exploit chains capable of remotely jailbreaking iPhones and installing spyware.
These exploit chains took advantage of 14 distinct vulnerabilities within Apple’s iOS operating system, with seven flaws found in the Safari web browser, five in the iOS kernel, and two related to sandbox escape issues. The vulnerabilities affected devices running various versions from iOS 10 to the latest iOS 12 at the time of their discovery.
A comprehensive analysis by Project Zero’s Ian Beer noted that among the 14 vulnerabilities, only two were classified as zero-days—specifically, CVE-2019-7287 and CVE-2019-7286—and remained unpatched when they were identified. Surprisingly, the hacking campaign had gone undetected for approximately two years despite its wide-ranging implications.
The details surrounding these vulnerabilities were documented publicly only after Apple addressed them with a critical iOS update. Google Project Zero previously alerted Apple to the issues, which prompted a swift response in the form of an out-of-band release to mitigate the risks posed by these vulnerabilities.
According to the research findings, the exploitation method involved a select group of compromised websites, frequented by thousands each week, targeting every iOS user accessing these sites without regard for their individual profiles. Simply visiting these hacked websites could initiate an attack that enabled the exploit server to install a monitoring implant undetected.
Once a user accessed the compromised site using the vulnerable Safari browser, the exploit would trigger WebKit vulnerabilities to establish a foothold on the device, followed by privilege escalation attempts to gain root access, allowing for extensive control over the iPhone.
Notably, the spyware implant was designed to extract files, including iMessages, photos, and real-time GPS location data. This information was transmitted to an external server every minute, with no visible indications alerting users of the spy software’s operation. Since iOS lacks a process listing feature, the implant could execute without drawing attention.
The implant also pilfered data from end-to-end encryption applications like WhatsApp, Telegram, and iMessage, exposing users’ potentially sensitive private conversations. Additionally, attackers gained access to the device’s keychain—a secure data store containing authentication tokens and credentials. This access included tokens used by services such as Google’s iOS Single-Sign-On, allowing continued access to affected users’ accounts even after the implant had been removed.
Rest assured, the implant self-erased upon device reboot, but merely revisiting a compromised site could result in its reinstallation. Attackers could maintain persistent access to various accounts by exploiting stolen authentication tokens from the keychain.
In response to these revelations, Apple has since asserted that the supposed mass exploitation was overstated, stating that fewer than a dozen websites, primarily related to the Uighur community, were affected. Apple maintained that the compromised sites were operational for a limited period—approximately two months—contradicting Google’s assertion of a two-year timeframe.
In the wake of Apple’s statement, a Google spokesperson reiterated the commitment to providing comprehensive research aimed at enhancing the understanding of vulnerabilities and improving defensive strategies. The research serves to inform both industry partners and the public, as efforts continue to bolster cybersecurity measures.
For US-based business owners, it is paramount to remain aware of these vulnerabilities and to ensure that devices are kept updated to mitigate risks posed by sophisticated cyber threats. Awareness and proactive measures can be critical in safeguarding sensitive data and maintaining robust security postures in an increasingly complex digital landscape.