Earlier this year, Google helped Apple get rid of a serious operating system vulnerability in iPhones. Project Zero, which is the search giant’s team of security analysts that aims to find zero-day vulnerabilities, spotted the problem.
Google's Threat Analysis Group (TAG) came across a string of hacked websites that initiated watering hole attacks on iOS devices. This attack is basically a security exploit that let attackers target a specific group by infecting a group of websites.
In this case, of course, iPhone and iPad users were victims. This means that simply visiting those websites gave hackers access to iPhones.
Exploit Chains Were Executed In 2017 and Were Only Discovered This Year, Thanks To Project Zero
A zero-day vulnerability is a hole in software which developers and antivirus vendors don’t know about. In a blog post, Google has revealed that iPhones running any version between the iOS 10 and the latest iteration of iOS 12 were vulnerable. When the infected websites were visited, a monitoring implant was installed on the device. These websites received approximately thousands of visitors every week.
Per Google, the root causes of the vulnerabilities were nothing novel. However, these issues are often overlooked because of poor QA controls and insufficient testing. TAG came across fourteen vulnerabilities across five different iPhone exploit chains.
Seven of them were for the Safari browser, five were for the kernel, and two were sandbox escapes. Some of the errors could have easily been rectified had Apple done thorough code review and testing.
At the user’s end, there was no visual indicator that their device has been infiltrated. There was no way to find out if the monitoring implant was running as iOS doesn’t display process listing. The implant primarily stole files and live location data. The attackers received data every 60 seconds.
Monitoring Implant Sent Sensitive Data To Attackers
The implant was able to access the database files used by commonly used apps such as iMessage, Whatsapp, and Telegram. In plain words, attackers were able to see all the contents of the messages transmitted, including images. The implant also stole the complete contact database of users as well as their photos.
Perhaps the creepiest of all is the fact that the implant was also able to track the location of victims in real-time. The location data was uploaded once every minute if the device was online. Other than that, it also uploaded the iPhone’s keychain, which contains important credentials and certificates.
Using that, it was possible for the attackers to maintain access to important services, such as a user’s Google account, even if the implant wasn’t running.
Moreover, using long-lived tokens, there was also a possibility of using a keychain to sign in to the Gmail web interface on a separate device.
Google reported these issues to Apple on 1 Feb 2019. As a result, Apple rolled out the iOS 12.1.4 earlier than expected, on 7 Feb 2019 to fix the problem. So even though there is nothing to worry about now, it’s worth mentioning that millions of iPhones and possibly iPads remained exposed for a good two years. According to a newer report, the websites also targeted Microsoft's and Google's operating system. The two companies have made no comments regarding this so far.