03 Sep 2019
Google researchers released a report earlier today that warns your iPhone can be hacked just by visiting one innocent-looking website.
A previous iPhone hacking campaign discovered by Google’s ProjectZero had identified at least five unique iPhone exploit chains that were capable of remotely jailbreaking an iPhone and loading spyware on it. Those exploit chains were found to utilize a total of 14 separate vulnerabilities in Apple’s iOS. ProjectZero researcher Ian Beer blog post stated that only two of the 14 security vulnerabilities were zero-days, CVE-2019-7287 and CVE-2019-7286, and unpatched at the time of discovery. And the campaign went on for two years.
“We reported these issues to Apple with a 7-day deadline on 1 Feb 2019, which resulted in the out-of-band release of iOS 12.1.4 on 7 Feb 2019. We also shared the complete details with Apple, which were disclosed publicly on 7 Feb 2019,” Beer says. “Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
An iPhone user landed on one of the hacked websites triggered Webkit exploits that attempted to gain access to the users iOS device. Privilege escalation then permitted deeper access until finally root access was obtained. iMessages, photos, and live GPS locations were then uploaded to an external server every 60 seconds. The spyware implant also stole data from several apps like Whatsapp, Telegram, iMesage, and private chat and stored that data in plain text. Perhaps worse, the spyware also gained access to keychain data containing credentials, authentication tokens, and certificates. Long-lived tokens included such services as Google’s Single-Sign-On which gave the hackers access to the user’s Google account, even once the Spyware was no longer running.
According to Beers, there is “no visual indicator on the device that the implant is running.” Beers continued to say that there’s “no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system.”
Apple has already patched the majority of the exploits and vulnerabilities, and users are always recommended to keep their devices up-to-date.