Google researchers have discovered several sets of serious vulnerabilities that have affected almost all iOS devices over the past two years, and can be exploited simply by visiting a hacked site. What to monitor “whole populations”.
Apple thought it would be a beautiful day by announcing the launch date of the iPhone 11, but it’s not working.
Google’s Project Zero team, which specializes in tracking severe 0-day vulnerabilities, has just published the existence of not one, but five fault chains with fourteen different vulnerabilities.
These were brought to Apple’s attention on February 1, 2019 and were corrected on February 7 in the iOS 12.1.4 update, which all iPhone and iPad users must install if they have not already done so.
The “Search Cell” was able to collect five separate, complete and unique iPhone exploit strings, covering almost all versions from iOS 10 to the most recent version of iOS 12.
This indicated that one group is making sustained efforts to hack iPhones users in some communities over a period of at least the last two years. This is probably the most serious cyber security incident in the history of iOS.
Indiscriminate and Large-Scaled Attacks
As a result, virtually all iOS devices were vulnerable for at least two years, and could be attacked while visiting some websites.
“There was no discrimination on the target. Simply by visiting the hacked site, the exploit server attacks your device, and in case of success, installs a monitoring implant. The sites involved welcomed thousands of users a week.
“It’s terrifying,” said cybersecurity researcher Thomas Reed at WIRED magazine.
“We’re used to iPhone infections being targeted attacks by state opponents. The idea that someone was infecting every iPhone that visited some sites is chilling”.
The vulnerabilities allowed the attackers to escalate privileges, and thus gain almost complete access to the internal operation of the device and the data stored on it. Spyware was then installed on the smartphone to send this data back to the attacker’s servers.
A State Actor Involved?
Project Zero does not provide any information on the identity of the hackers who exploited these flaws.
The scale and complexity of these attacks, clearly oriented towards mass espionage, suggest a sovereign state.
It is quite remarkable that the operation was able to remain active for so long without being detected.
It can be assumed that the massive data collection was restricted to the national territory of the country that would have commissioned the case.
However, the contrast is striking between the sophistication of the 0-days and the amateurism of the spyware that they allowed to install.
The malevolent implant exfiltered the data from the phone without using HTTPS encryption, yet standard on the web, so that anyone on the network could observe what was going on. The data was routed to servers where the IP addresses were clearly written in the spyware.
“Target and monitor the private activities of entire populations in real time”
It is possible that an inexperienced government agency may have purchased the vulnerabilities from a third-party hacker group, probably for a staggering amount of money.
“They are people with a mountain of money and horrible know-how, because they are relatively new to this game,” conjectured by WIRED Jake Williams, a former NSA hacker.
In any case, these incidents mark a page in iOS security. Apple’s operating system was said to be difficult to hack deeply,
as each hack could only target one individual device with exorbitant financial costs for everyone — hence the cliché of the dissident million dollar,
according to an Emirati opponent whose spying would have cost the UAE regime more than a million dollars.
“I would not go into a discussion of whether these exploits have cost 1 million, 2 million or $ 20 million,” writes Ian Beer of Project Zero.
“Rather, I would suggest that all of these prices appear low given the ability to target and monitor the private activities of entire populations in real time.”