iPhone exploits in hacked websites went unnoticed for years
Researchers from Google's Project Zero security initiative on Thursday revealed the discovery of a collection of hacked websites that for years hosted a series of exploits targeting iPhone models up to iPhone X running the current version of iOS 12.
Outlined in a blog post, Google said its Threat Analysis Group (TAG) uncovered the "small collection" of websites earlier this year.
"The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day," writes Project Zero's Ian Beer. "There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant."
Beer estimates the sites receive thousands of visitors per week.
TAG believes the hacks are the work of a bad actor who, over a period of at least two years, conducted an operation to infiltrate select iPhone user demographics targeted by the undisclosed sites. The group found evidence of five unique iPhone exploit chains that cover "almost every version" of iOS from iOS 10 to the current iteration of iOS 12. Impacted iPhones range from iPhone 5s to iPhone X.
In all, Google researchers discovered 14 vulnerabilities impacting iPhone's web browser, kernel and sandbox security mechanism, one of which was a zero-day.
As noted by Motherboard, which reported on Google's findings earlier today, the exploits were used to deploy an implant designed to steal files and upload real-time GPS location data. In addition, the implant accessed a user's keychain, a feature responsible to securely storing passwords and databases of end-to-end encrypted messaging apps like iMessage. It also took copies of Contacts data and Photos, Beer writes.
While the malware is cleaned from an infected iPhone upon rebooting, Beer notes attackers might be able to "maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device." Alternatively, visiting the hacked site would reinstall the implant.
Google informed Apple of the issue on Feb. 1, presenting the company a seven-day window in which to plug the holes. Apple subsequently released a patch with iOS 12.1.4 on Feb. 7 and disclosed Google's findings in an accompanying support document.
Apple's iOS 12.1.4 update also patched a pair of Foundation and IOKit flaws discovered by Google's Project Zero team lead Ben Hawkes. Both zero-day vulnerabilities were used to hack devices in the wild.