Google’s Project Zero team – a group of cyber security experts that work to uncover vulnerabilities in popular software programs – have been at it again. Through their research the team have uncovered several hacked websites that use unknown security flaws to attack iPhones that navigate to their pages.
When a user visited one of the malicious websites in question using an iPhone vulnerable to the exploit, then there was a potential for their personal data to be compromised. This could have included files, message history, and even real-time location data.
Tech blog Motherboard reported that the breach could be “the biggest attack against iPhone users yet”, indicating how the websites were able to install a monitoring implant that had access to ‘keychain’.
‘Keychain’ is the iPhone password manager that is natively built into the device software, iOS (iPhone/iPad Operating System). It’s responsible for looking after the most sensitive of your personal data, such as account names, email addresses, passwords and payment card information, which is how you can auto-fill forms online so quickly and easily from your phone.
“Earlier this year Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites (…) There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.”Google’s Project Zero team
Supposedly the implant would be deleted from an affected device once the user rebooted it, or it ran out of battery. But according to the Google researchers at Project Zero, the fact that the attack accesses keychain means that attackers could access authentication tokens from the software, giving them long-time access to accounts even after the implant is gone.
Altogether, the team reportedly discovered 14 vulnerabilities that affected iOS versions ranging from 10 through to 12. This highlights the length of time that the exploits were in use by malicious third parties without being found and patched. After contacting Apple, the exploits were than fixed in iOS 12.4.
Though these particular vulnerabilities are now fixed in the latest versions of iOS, Google’s team highlight the likelihood of there being more out in the wild that are yet to be found. So while you can’t predict when these vulnerabilities will surface, you can ensure that you keep iOS fully up to date wherever possible. If you need help or advice in checking that your iPhone is running the latest software updates, speak to WiseGuys on 0808 123 2820.