For years there’s been a rivalry between iPhone and Android phone users over the security of each of their devices. Apple fans have long lambasted Android for its perceived vulnerability to hack attacks due to the diversity of the operating system, while Android users have hit back that the very diversity Apple fans hate is what keeps them safe.
Now, researchers at Google’s Project Zero security team have disclosed a massive hole found in key software on iOS. It follows Google researchers revealing a series of iPhone flaws over the last few months.
Ian Beer, a security researcher at Google, said the latest vulnerabilities found show Apple users have fallen victim to hack attacks for “a period of at least two years”.
Google’s Threat Analysis Group, which scours the internet for vulnerabilities, came across a collection of hacked websites earlier this year. The websites contained code that could weasel into an iPhone using vulnerabilities in Safari, the iPhone’s web browser, its kernel or other means.
“Since iOS 10 there are vulnerabilities – seven in Safari, 12 in total – that, when they are chained, or combined in a particular way, can be used to gain root access to the user’s iPhone,” says John Opdenakker, a cybersecurity researcher. “This gives them the highest level of permissions.”
The “indiscriminate” attack meant that any user who visited one of the websites that was hacked would be attacked used “exploit chains” – leapfrogging from one part of the phone to another, using memory management exploits, to worm deeper into the device until the hackers had “root” access, able to view everything including your photos, messages, location and passwords – all in real time. “All it takes to get your device compromised is visiting these websites,” says Opdenakker.
“It’s not just one flaw they’ve exploited. It showed no sign of running but had all the privileges of being the most privileged piece of software on your phone,” says Alan Woodward of the University of Surrey’s Centre for Cybersecurity. At this stage it has not been revealed which websites were impacted, who could be behind the attack, or how many devices may have been impacted.
“What’s interesting about these is that they appear to be planted at relatively random watering hole sites. Something as sophisticated as this you might suspect to be really targeted, but this looks like it was spread round to catch lots of people and get on lots of phones.”
Google’s team let Apple know about the vulnerability in February, and Apple pushed out an update to iOS – 12.1.4 – within a week.
How bad is it?
“It’s very bad,” says Alan Woodward. “There are two aspects to this. You hear people talking about sophisticated attacks, and it’s not. It never is. But this is. This really is. The amount of effort that has gone into this is extraordinary.”
“The vulnerabilities weren’t known about for years,” says Opdenakker. “At least not known to Apple. It’s pretty bad because it only needs users to visit a site in Safari.” Around one in five mobile users worldwide browse the internet using Safari.
“It seems to show a pattern of somebody trying to get their implant on just as many phones as they could,” adds Woodward. “If you look at what the implant does, it seems to have access to a whole series of things but is able to get into WhatsApp, iMessage and Telegram. It’s almost as if somebody was trying to get on as many iPhones as possible to do some monitoring of messages.” Because many of the messaging services it could get access to are end-to-end encrypted, the only way of accessing them is to view them on the iPhone itself.
Google researchers didn’t say who they thought might be behind the attack, but Woodward fears its sophistication points in one direction. “You hear about state-sponsored sophisticated attacks,” he says. “This has all the hallmarks of that. It was a hell of a find.” In the blog post analysing the exploits Beer said the work “indicated a group making a sustained effort to hack the users of iPhones”.
What should you do?
As Apple fixed the vulnerability in February, if you’ve been keeping your iPhone and iPad up-to-date the risk of being hit by the attack has been closed. If you haven’t been keeping you phone running the latest operating system visit its Settings app, tap General and then Software Update. Here you’ll be shown the latest software available.
But during the two years the issue existed for, there was little that could be done. “As an end user, there’s not a lot you can do about this,” explains Woodward. “Any of us could have visited these sites. They weren’t strange and wacky sites. They were sites that all sorts of different people could have gone to.”
The exploits taken advantage of were all zero-days, meaning they weren’t known to anyone but the hackers. “If Apple didn’t know about them, there’s no way we’re going to know about it,” says Woodward.
It’s also a worrying augur for the future. “For this one campaign that we’ve seen, there are almost certainly others that are yet to be seen,” said Beer in his blog post announcing the vulnerability. It’s a wake-up for iOS users, too. “This shows that if someone puts their mind to it, iOS isn’t more secure than Android,” says Woodward. “It’s a salutary tale that Apple can also be attacked – and in quite dramatic fashion.”
All Rights Reserved for Chris Stokel-Walker