iPhone users were the victims of a “sustained” zero-day attack. The vulnerability lasted at least two years says a new report by Google’s Project Zero. Project Zero is a team of white hat hackers working for Google with the goal of finding vulnerabilities in popular software products.
The researchers say the attack on iOS used a piece of malware hidden in a webpage, which quietly installs itself when loaded on the device. Once installed on a device running iOS 10 or higher, the device shares a lot of information with hackers, including location, contacts, messages. In testing, the malware is able to extract data from third parties, like WhatsApp, Google Maps, and GMail.
Not surprisingly, having this kind of data gives criminals a detailed picture of a person. After the recent revelation that Apple used contractors to listen to Siri conversations – meaning that recorded audio exists, and could be compromised – it is deeply troubling to think how much data hackers may have accessed. This data could be used for targeted phishing attempts, blackmail and more.
The attack is already in the wild, though it is not known how many handsets have fallen prey, nor who is behind it (Update: It was China) – something we’ll perhaps never know. Google didn’t name the websites that served up the infection and haven’t shared details about the hackers or their victims.
Google says it alerted Apple to this zero-day vulnerability on February 1, and that Apple patched it in iOS 12.1.4, released on February 7, 2019. But that still means at least two years of potentially compromised data.
This is the second round of security flaws Project Zero has uncovered and announced in iOS in the last 35 days. The first bug allowed malicious code through iMessage. Meaning an attacker could intercept communications, cause apps to crash, and trigger arbitrary code execution, according to Apple’s notes.
“Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you’re being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”Wrote, Ian Beer of Project Zero.
iPhone users are advised to update to iOS 12.1.4 as soon as possible. The 12.1.4 update also fixes the bug that allowed users to listen in on others using group FaceTime calls.
Update: I emailed Allen Gwinn, a Professor of Practice, SMU Cox School of Business. Professor Gwinn was kind enough to respond with an email that absolutely ruined my day. I have posted it below, in italics, with editing only for formatting.
“Keep in mind, also, that we’re talking about ‘known’ vulnerabilities in iOS and there could likely be many unknown others. The root cause of these security issues is the closed, tightly-controlled, proprietary nature of Apple’s iOS. When it comes to hacking, it’s the whole world of hackers versus a comparatively small team of core developers at Apple and, by the law of numbers, the hackers are always going to win. Compounding the problem is that alternative browser apps, which might tend to abate these problems, are forced to use the same framework (iOS WebKit) to interact with iOS.
What this means for the end user is that everything web-centric (Firefox, Chrome, etc.) is equally as hackable as iOS Safari. Open-source Mozilla even warns users that it’s Firefox add-ons and extensions, many of which improve security, won’t work on iOS because of Apple’s ‘proprietary iOS extension system‘.
My specific advice to users would be to not use their iPhone/iPad to browse the Internet if they’re concerned about leaking confidential data! OK, look, I have an iPad (also an Android phone) and I don’t plan to quit surfing the Internet. It’s unrealistic. But I do have Siri disabled on my iPad and Macbook Pro. I keep Bluetooth off except on the rare occasions when I need to use a headset because I’ve long been suspicious of iOS ‘bluejacking’. I only charge my iPad with my own charger to prevent iOS “juicejacking”, am careful with the WiFi networks to which I connect to prevent ‘trustjacking’, and have AirDrop completely disabled.
Also, in fairness, we should probably not let Microsoft off the hook for Windows. For every one undiscovered security flaw in iOS there are likely thousands in Windows. But it highlights the dangers inherent in closed-source proprietary operating systems.
Apple will likely cite it’s $1,000,000 ‘bounty’ for exploits as being adequate protection. I would counter that a reliable serious exploit for iOS is probably worth well more than a million dollars to bad actors. I offer as proof: the “at least 2 years” undetected exploits that Google found. So as long as iOS is proprietary and closed-source, Apple may well be the last to hear about its own bugs.”
Header Image: Staff