Google’s Project Zero team has detailed a years-long hacking campaign it says indiscriminately targeted iPhone users. And when successful, the attacks installed monitoring implants that provided access to nearly all personal information available on the device after users visited a hacked website.
Project Zero’s Ian Beer wrote an in-depth blog Thursday detailing the exploit, which he said covered almost every iOS version from iOS 10 through the most recent version of iOS 12 and had been active for at least two years. Once users visited a malicious website, hackers used vulnerabilities to exploit the server and attack users’ iPhones. Project zero estimated the sites received thousands of visitors per week.
Motherboard characterized the hacks, which left a mountain of victims’ personal data and information compromised, as possibly “one of the largest attacks against iPhone users ever.” Apple patched the issues earlier this year after Google told Apple about the vulnerabilities on Feb. 1, and gave the company a 7-day deadline. TechCrunch noted that Google’s week-long deadline to fix the problems is significantly shorter than the usual 90-day period given to software developers, suggesting how severe the vulnerabilities were.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” wrote Beer.
Specifically, the monitoring implant gave hackers access to all database files on a victim’s phone, according to Beer. This includes unencrypted, plain-text messages sent and received in popular apps that are supposed to be secure with end-to-end encryption like Whatsapp, Telegram, and iMessage, as well as copies of users’ contact lists, photos, Gmail accounts. If that weren’t bad enough, real-time GPS tracking was also available. Beer wrote that the implant can upload a user’s real-time location up to once per minute if the device is online.
Beer noted that the implant is deleted if the user’s phone is rebooted (unless or until they re-visit a compromised website), but the attack uses stolen authentication tokens from the keychain, meaning attackers could still maintain full access to accounts like Google, even after the implant is no longer on the device.
While Apple fixed the vulnerability in its iOS 12.1.4 release, Beer noted there are likely other attacks ongoing.
“Let’s also keep in mind that this was a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen,” Beer wrote.
This comes the day after Apple confirmed it will debut its latest iPhones at a Sept. 10 event.