For two years, a handful of websites have indiscriminately hacked thousands of iPhones.
From VLCM Cybersecurity Solutions Architect, Dan Schuyler - “This is a major exploit of Apples iPhone operating system and while iOS is a robust operating system, it is not impervious to unknown (zero day) exploits. Malicious websites will continue to be a primary method that hackers will use to exploit known and unknown iOS vulnerabilities. This is a reminder that all iPhone and Android OS users should avoid visiting unknown websites, and should update their iOS or Android phones when security updates are released.”
Originally posted on Wired
Hacking the iPhone has long been considered a rarified endeavor, undertaken by sophisticated nation-states against only their most high-value targets. But a discovery by a group of Google researchers has turned that notion on its head: For two years, someone has been exploiting a rich collection of iPhone vulnerabilities with anything but restraint or careful targeting. And they've indiscriminately hacked thousands of iPhones just by getting them to visit a website.
On Thursday evening, Google's Project Zero security research team revealed a broad campaign of iPhone hacking. A handful of websites in the wild had assembled five so-called exploit chains—tools that link together security vulnerabilities, allowing a hacker to penetrate each layer of iOS digital protections. The rare and intricate chains of code took advantage of a total of 14 security flaws, targeting everything from the browser's "sandbox" isolation mechanism to the core of the operating system known as the kernel, ultimately gaining complete control over the phone.
They were also used anything but sparingly. Google's researchers say the malicious sites were programmed to assess devices that loaded them, and to compromise them with powerful monitoring malware if possible. Almost every version of iOS 10 through iOS 12 was potentially vulnerable. The sites were active since at least 2017, and had thousands of visitors per week.
"This is terrifying," says Thomas Reed, a Mac and mobile malware research specialist at the security firm Malwarebytes. "We’re used to iPhone infections being targeted attacks carried out by nation-state adversaries. The idea that someone was infecting all iPhones that visited certain sites is chilling."
The attack is notable not just for its breadth, but for the depth of information it could glean from a victim iPhone. Once installed, it could monitor live location data, or be used to grab photos, contacts, and even passwords and other sensitive information from the iOS Keychain.
With such deep system access, the attackers could also potentially read or listen to communications sent through encrypted messaging services, like WhatsApp, iMessage, or Signal. The malware doesn't break the underlying encryption, but these programs still decrypt data on the sender and receiver's devices. Attackers may have even grabbed access tokens that can be used to log into services like social media and communication accounts. Reed says that victim iPhone users would probably have had no indication that their devices were infected.
Google hasn't named the websites that served as a "watering hole" infection mechanism, or shared other details about the attackers or who their victims were. Google says it alerted Apple to its zero-day iOS vulnerabilities on February 1, and Apple patched them in iOS 12.1.4, released on February 7. Apple declined to comment about the findings. But based on the information Project Zero has shared, the operation is almost certainly the biggest known iPhone hacking incident of all time.
"The prevailing wisdom and math has been incorrect." - COOPER QUINTIN, EFF THREAT LAB
It also represents a deep shift in how the security community thinks about rare zero-day attacks and the economics of "targeted" hacking. The campaign should dispel the notion, writes Google Project Zero researcher Ian Beer, that every iPhone hacking victim is a "million-dollar dissident"—a nickname given to now-imprisoned UAE human rights activist Ahmed Mansour in 2016 after his iPhone was hacked. Since an iPhone hacking technique was estimated at the time to cost $1 million or more—as much as $2 million today, according to some published prices—attacks against dissidents like Mansour were thought to be expensive, stealthy, and highly focused as a rule.
The iPhone-hacking campaign Google uncovered upends those assumptions. If a hacking operation is brazen enough to indiscriminately hack thousands of phones, iPhone hacking isn't all that expensive, according to Cooper Quintin, a security researcher with the Electronic Frontier Foundation's Threat Lab.
"The prevailing wisdom and math has been incorrect," says Quintin, who focuses on state-sponsored hacking that targets activists and journalists. "We've sort of been operating on this framework, that it costs $1 million to hack the dissident’s iPhone. It actually costs far less than that per dissident if you’re attacking a group. If your target is an entire class of people and you're willing to do a watering hole attack, the per-dissident price can be very cheap."
It remains far from clear who might be behind the brazen campaign, but both its sophistication and focus on espionage suggest state-sponsored hackers. And Quintin points out that the campaign's mass infection tactics imply a government that wants to surveil a large group that might self-select by visiting a certain website. "There are plenty of minority groups like the Chinese Uyghurs, Palestinians, people in Syria, whose respective governments would like to spy on them like this," Quintin says. "Any of those governments would be happy to pull out this technique, if they came into exploit chains of this magnitude."
The campaign bears many of the hallmarks of a domestic surveillance operation, says Jake Williams, a former NSA hacker and founder of the security firm Rendition Infosec. And the fact that it persisted undetected for two years suggests that it may have been contained to a foreign country, since this kind of data traveling to a faraway server would have otherwise raised alarms. "After two years without getting caught, I can’t fathom this has crossed national boundaries," he adds.
The hackers still made some strangely amateurish mistakes, Williams mentions, making it all the more extraordinary that they operated so long without being detected. The spyware the hackers installed with their zero-day tools didn't use HTTPS encryption, potentially allowing other hackers to intercept or alter the data the spyware stole in transit. And that data was siphoned over to a server whose IP addresses were hard-coded into the malware, making it far easier to locate the group's servers, and harder for them to adapt their infrastructure over time. (Google carefully left those IP addresses out of its report.)
Given the mismatch between crude spyware and highly sophisticated zero-day chains used to plant it, Williams hypothesizes that the hackers may be a government agency that bought the zero-day exploits from a contractor, but whose own inexperienced programmers coded the malware left behind on targeted iPhones. "This is someone with a ton of money and horrible tradecraft, because they’re relatively young at this game," he says.
Regardless of who may be behind it, the mass undetected hacking of thousands of iPhones should be a wake-up call to the security industry—and particularly anyone who has dismissed iOS hacking as an outlier phenomenon, unlikely to affect anyone whose secrets aren't worth $1 million. "To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group," Google's Beer writes. "All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them."