Google says iPhone security flaws let websites hack away for years

It’s time everyone updates thier iOS devices to latest versions…

Malicious sites installed a “monitoring implant” that compromised personal data on iPhones that simply visited them, according to security researchers.

Google’s Project Zero security researchers have revealed that they found several hacked websites that slipped malwareonto people’s iPhones for years. If people visited one of the sites, their messages, photos and location data could have been compromised. The team reported its findings to Apple earlier this year, and the vulnerability was patched in the same update that fixed the FaceTime eavesdropping bug.

“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” Project Zero’s Ian Beer wrote in a Thursday blog post detailing the team’s discovery. “We estimate that these sites receive thousands of visitors per week.”

The attacks are a rare display of vulnerabilities for iPhones, which are generally considered highly secure devices. Apple has offered up to $1 million in bug bounties for security researchers who can find critical vulnerabilities on its devices. Often, attacks on iPhones are difficult to carry out, and usually limited to espionage between countries. It’s unclear who’s behind this attack that could compromise millions of devices just by a single visit.

“It’s always been possible, but the cost of these vulnerabilities on the open market means they’ve never been used in an attack like this before,” Thomas Reed, director of Mac and mobile security at Malwarebytes, said in an email. “In the past, iOS malware has been primarily used in targeted attacks by nation-states. By targeting specific people, they limit the exposure of the vulnerabilities used, protecting them against discovery by Apple.”

The hack didn’t work off of any single vulnerability. Google’s team found that it used 14 zero-day vulnerabilities across five separate exploit chains. The vulnerabilities ran from iOS 10 to the current version, iOS 12, meaning the hackers targeted iPhone users over at least two years. When Google disclosed the vulnerability to Apple in February, the company issued a patch less than a week later.

This hack gave attackers full control of a victim’s iPhone, allowing them to install malicious apps, get real-time location data and steal photos and messages, even if they’re encrypted. Because of the malware’s deep level of access, it could even get contents of messages before they were encrypted, Google’s researchers said. The implant could access the device’s keychain, which includes passwords and database files used by end-to-end encrypted messaging apps like WhatsApp, Telegram and iMessage.

As the attacks siphoned off people’s personal information, they were sending that data without encryption, which meant that anyone on the same Wi-Fi network could also see all of the stolen content.

The malware was wiped if people rebooted their iPhones, but would return if they visited one of the hacked sites again, the report noted. Also, even if the malware was wiped, hackers could cause more damage with stolen passwords and private messages it obtained. There’s also no way to tell if you’ve been affected, Reed said.

iOS doesn’t allow for malware scans, and it’s possible that contributed to the hack being hidden for so long, the security researcher said.

“The very nature of iOS, intended to keep devices secure, may have worked against us in this case by preventing the attack from being discovered,” Reed said.

Apple declined comment, but make sure your iPhone is fully updated to prevent this vulnerability from hitting you.

Source : CNET

What a time for Google to announce this news with new iPhones set to release on September 10th

3500880E-1228-4D75-A79E-5D4F34F2FAC4.jpeg750×888 167 KB

What are your thoughts? Are you updating your iOS versions? Will this impact the new iPhone release and the product itself?

Have your comments…

I just sounds like Google to be happy to found something on Apple.

Thanks for sharing this, I had no idea.

At least Apple paid to be able to fix this vulnerability

Should have gotten android

Up to date
Years ahead of apple
Oh yeah, no viruses

That is just wrong. You really think that Android is more secure than Apple? Android doesn’t care if your phone security is compromised, Apple pays millions of dollars in commissions to people who find vulnerabilities, as well as the team they regularly pay to do the same.

And yet…

I can think of a few times apple has been compromised, even with getting people to dial 911, and other times viruses have caused major disruption to iPhone users.

Then there’s cases like bendgate and other type mistakes, oh if course there was the original DEATH GRIP! who can forget that one?

Of course. There’s no such thing as an operating system that doesn’t have vulnerabilities. It cant happen, and it never will happen.

Apple has just made such a name for themselves for being “secure” that when a vulnerability comes out, EVERYONE hears about it.

Android is always insecure, so you never hear about it.

If a particular too android had been vulnerable for and had been attacked, apple would have made sure the world knew, especially if it happened to a Samsung… Their nemisis!

I’ve given up on you. One last comment. If android is so secure, why is it always so easy to root the OS? The root for android comes out almost immediately after the release of the new versions.

On iOS on the other hand, it can sometimes take months, and sometimes they don’t even come for that version at all.

Android is built on Linux, of course it’s rootable, it’s open software, but the phones themselves are fine.

I think the problem in Android land is really that once your phone is unsupported, you’re totally out of luck security update wise unless you can flash a custom ROM. There are millions of very vulnerable support-abandoned Android phones still in use today.

All this being said, I can’t seem to like iOS no matter how many time I try it. I also professionally support these everyday. Android all the way for me.

People never like switching OS once they get used to one

iOS and Android are both kinda based on Linux. Each have its own positives and negatives, some like Android for openness and easy of customization, while some love iOS for ease of use and upgrade cycles for old devices with support up to 5 years.

Apart from it, these are businesses which care more about thier profits and hurt each other via ads and all these vulnerabilities, just look at the timing of the release of the news… it might have been with Google for longer than the time they released it.

Users have no option but to update to latest and try not to go to these malware sites.

I am more of Apple fan, with Apple eco-System… and still don’t like the walled garden…

That’s it. So I like LINUX pur.

I don’t think I could switch ios since am so use to Android and its functions.

The thing is, the same with iOS.no more updates etc for iPhone 5 and backwards!

Old Ipods, Ipads are lost.
No more updates possible.
All rotten Apples.

Never was amused about.
“Buy new ones, all such lousy apples, which will be rotten in the near future.”

I WILL NOT!
NEVER!

But android phones generally only have support for 2 years, iPhones will have support for 5+ years. Completely different ball games…

LINUX has support for ever!