This Thursday evening witnessed Google’s Project Zero security research group launched a broad campaign of iPhone hacking. Many websites in the wild had assembled five so-called exploit chains, tools that link together security flaws, letting a hacker penetrate each layer of iOS’s digital protections. The uncommon and complex chains of code exploited a total of 14 security flaws, targeting everything from the browser’s “sandbox” isolation mechanism to the core of the OS known as the kernel, ultimately obtaining complete control over the smartphone.
They have also used anything but sparingly. Google’s researchers’ team says the malicious sites were programmed to assess devices that loaded them and to compromise them with powerful monitoring malware if possible. Almost every version of iOS 10 through iOS 12 was potentially infected. Those websites were active since at least 2017 and witnessed many visitors every week.
“This is terrifying,” said Thomas Reed, Mac and mobile malware research specialist at the security firm Malwarebytes. “We’re used to iPhone infections being targeted attacks carried out by nation-state adversaries. The idea that someone was infecting all iPhones that visited certain sites is chilling.”
The attack is notable not just for its breadth, but the depth of data it could glean from a victim iPhone. Once installed, it could monitor live location data, or be used to grab images, contacts, and even passwords and other private details from the iOS Keychain.
With such deep system access, the attackers could also potentially read or listen to communications sent through encrypted messaging services, like WhatsApp, iMessage, or Signal. The malware doesn’t tear the underlying encryption, but these programs still decrypt information on the sender and receiver’s devices. Attackers may have even grabbed access tokens that can be used to log in to services like social media and communication accounts. Reed says that victim iPhone users would probably have not indicated that their devices were vulnerable.
The websites, that served as a “watering hole” infection mechanism, or shared other details about the attackers or who their victims were, haven’t been named by Google yet. The tech giant says it warned Apple about its zero-day iOS flaws on February 1, and Apple patched them in iOS 12.1.4, released on February 7. Apple denied commenting about the findings. But based on the information Project Zero has shared, the operation is almost certainly the huge known iPhone hacking incident of all time.