Google says iOS security flaws led malicious websites to hack iPhone for years

Google's Project Zero team found some malicious websites that could hack into iPhones. The websites would have installed a malware which could then compromise on user data including messages, photos and location details.

Google Project Zero, iOS flaw, iPhone security flaw, iPhone hack, Google discovers iPhone security flaw

According to Google’s blog, there was no specific target discrimination and simply visiting the hacked site was enough for the exploit server to attack the iPhone device. (Representational image: iPhone XR)

Google’s security researchers who are a part of the company’s Project Zero team have said that they discovered various hacked websites that, for years, have installed malware onto iPhones of those users who visited them. iPhone users who visited any of these websites, it is likely that they would have had their data compromised including their messages, photos and location.

According to a recent blog post by Google’s Project Zero team, they had reported their findings of the security flaws to Apple earlier this year, and the flaw was patched in the iOS 12.1.4 update released by Apple in February. Apple had also published the details on its support page as well, something it does for all its security-related updates.

According to Google’s blog, there was no specific target discrimination and simply visiting the hacked site was enough for the exploit server to attack the iPhone device. It further added that once it was successful, it would install a monitoring implant on the device. The details of Project Zero’s findings were published by Google Project Zero’s Ian Beer. “We estimate that these sites receive thousands of visitors per week,” he wrote in the blog.

According to the blog, Google’s researchers at the Threat Analysis Group (TAG) were able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated that a group was making a sustained effort to hack into the iPhone users in certain communities over a period of at least two years.

“I shan’t get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time,” Beer wrote.

Though malware attacks are rare on iPhones which are generally considered to be thoroughly secured. In the past, Apple has also offered up to $1 million to security researchers for finding vulnerabilities on iOS devices. It is not clear as to who is behind such malware attacks which could be triggered by just merely visiting a hacked website.

The blog also gave details about individual vulnerabilities. It mentioned how the hack gave attackers complete control of an iPhone. It would allow the attackers to install malicious apps, get location details real-time and steal photos and messages, even if they are encrypted. Since the malware had deep-level access it could fetch the details of messages even before they got encrypted.

Story continues below this ad

As these attacks stole the personal information of the iPhone user, they were sending it across without any encryption, which means that anybody who is on the same Wi-Fi network may also see the stolen content. The malware was wiped off if the iPhone was rebooted and return as soon as the user visited any of the hacked websites again, CNET said in a report.

Even if the malware was wiped off, the attackers could cause further damages with the help of stolen passwords and messages it obtained previously from the malware.

Also Read|Google’s Project Zero security researchers find 6 security flaws on Apple’s iOS

iOS does not allow malware scans on its devices, and this possibly could have led to this malware being hidden for so long the CNET report added.

Tags:
Google