Members of Google’s Project Zero, a team of security experts tasked with finding zero-day vulnerabilities, say they discovered a serious iPhone security flaw. They found a number of hacked websites were being used in “indiscriminate watering hole attacks” against those accessing the sites via their iPhone.
According to British computer security expert and white hat hacker, Ian Beer, “simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
Beer, who is part of Project Zero, says their evidence indicates that the hackers made a sustained effort to hack iPhone users over a period of at least two years. They estimate these dodgy sites were visited thousands of times per week. Most of the flaws they found were within Safari, the default web browsers on Apple devices, he added.
- Facebook’s New Political Ad Rules Open the Door for Fake Grassroots Groups
- Japanese Anti-Groping Device Sells Out Within 30 Minutes
- Founder Culture Has to Change, Says Hashtag Inventor
Potentially, the implant from the site would grant the attack access to the iPhone’s keychain, this would, in turn, allow them to access any credentials or certificates contained within it. This could also enable them to access the databases of seemingly secure messaging apps such as Telegram, Whatsapp and iMessage.
A compromised device could allow hackers to access previously encrypted messages in plain text. In addition, the implant was also able to the user’s location in real-time, up to once per minute, if the device is online.
After reporting their findings to Apple, the company issued a software fix to address the flaw in February. iPhone users are being urged to update their system to ensure they are running the latest version of iOS, to protect themselves from the attack.
If the device is rebooted the implant binary will no longer run on the device, however, it can be re-exploited if the user visits a compromised site again.
“Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device,” Beer warned.
Unlike theoretical disclosures of security vulnerabilities, Google discovered this attack “in the wild” which means it was already in use by cybercriminals. It remains unclear who is behind the attack and how valuable it would be on the black market, however, some attacks can be sold for millions until they are discovered and addressed.