An unprecedented iPhone hacking operation, which attacked “thousands of users a week” until it was disrupted in January, has been revealed by researchers at Google’s external security team.
The operation, which lasted two and a half years, used a small collection of hacked websites to deliver malware on to the iPhones of visitors. Users were compromised simply by visiting the sites: no interaction was necessary, and some of the methods used by the hackers affected even fully up-to-date phones.
Once hacked, the user’s deepest secrets were exposed to the attackers. Their location was uploaded every minute; their device’s keychain, containing all their passwords, was uploaded, as were their chat histories on popular apps including WhatsApp, Telegram and iMessage, their address book, and their Gmail database.
The one silver lining is that the implant was not persistent: when the phone was restarted, it was cleared from memory unless the user revisited a compromised site. However, according to Ian Beer, a security researcher at Google: “Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device.”
Beer is a member of Project Zero, a team of white-hat hackers inside Googlewho work to find security vulnerabilities in popular tech, no matter who it is produced by. The team has become controversial for its hardline approach to disclosure: 90 days after it reports a bug to the victim, it will publish the details publicly, whether or not the bug has been fixed in that time.
In total, 14 bugs were exploited for the iOS attack across five different “exploit chains” – strings of flaws linked together in such a way that a hacker can hop from bug to bug, increasing the severity of their attack each time.
“This was a failure case for the attacker,” Beer noted, since even though the campaign was dangerous, it was also discovered and disrupted. “For this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.
“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”
Google said it had reported the security issues to Apple on 1 February. Applethen released an operating system update which fixed the flaws on 7 February.
Since you’re here…
… we have a small favour to ask. More people are reading and supporting The Guardian’s independent, investigative journalism than ever before. And unlike many news organisations, we have chosen an approach that allows us to keep our journalism accessible to all, regardless of where they live or what they can afford. But we need your ongoing support to keep working as we do.
The Guardian will engage with the most critical issues of our time – from the escalating climate catastrophe to widespread inequality to the influence of big tech on our lives. At a time when factual information is a necessity, we believe that each of us, around the world, deserves access to accurate reporting with integrity at its heart.
Our editorial independence means we set our own agenda and voice our own opinions. Guardian journalism is free from commercial and political bias and not influenced by billionaire owners or shareholders. This means we can give a voice to those less heard, explore where others turn away, and rigorously challenge those in power.
We need your support to keep delivering quality journalism, to maintain our openness and to protect our precious independence. Every reader contribution, big or small, is so valuable.