Imagine that an iPhone could be turned into a surveillance tool capable of sending hackers a record of its owner’s entire digital life, including their location in real time, all their emails, chats, contacts, photos and saved passwords.
A showstopper of a compromise, and yet according to Google Project Zero researcher Ian Beer this is exactly what’s been happening to thousands of iPhone users, for more than two years.
It’s a revelation that had some commentators cracking open the hyperbole emergency glass, so let’s cover the important facts of the story before jumping to any alarming conclusions.
The story starts with a discovery by Google’s Threat Analysis Group (TAG):
… [we] discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day.
The first hint that something was up came on 7 February when Apple released an urgent out-of-band update that took iOS to version 12.1.4.
At the time, the main flaw patched by this appeared to be the FaceTime app call snooping bug (CVE-2019-6223). However, further down the same advisory two other flaws (CVE-2019-7287 and CVE-2019-7286) that attackers could use to gain elevated and/or kernel privileges were briefly described.
In a blog this week Beer has offered the more alarming backstory to their discovery and its potential threat.
Several months of analysis later and it seems these flaws were part of a haul of fourteen vulnerabilities abused by the group behind the attacks discovered by Google.
Affecting iOS 10.x, 11.x, and 12.x, seven related to the Safari browser, five the iOS kernel, plus two sandbox escapes. Most of these had been patched over time but the two reported to Apple above were zero days, hence the company’s rush to get 12.1.4 out only days after Google told them about the issue.
Google isolated five unique exploit chains – campaigns run over time using different combinations of flaws – one of which dated back to late 2016.
The exploit chains were used against visitors to a small group of websites hacked as part of a ‘watering hole’ campaign (where sites frequented by target individuals are hacked to serve exploits).
There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.
Although this group of campaigns has been disrupted, Beer thinks there are “almost certainly others that are yet to be seen.”
What this means
Victims’ iPhones would have had malware installed in the form of a powerful monitoring implant capable of stealing chat messages (including WhatsApp, Telegram and iMessage), photos, tracking users’ locations in real time, and even accessing the Keychain password store.
If you set out to design a compromise of a mobile device, it’d be hard to imagine a more complete one than this, excepting that this campaign was eventually detected.
Two caveats to hold on to for encouragement – for attackers to take control of iPhones they still had to tempt victims to specific websites. The malware installed on the phones via the exploit chains stopped working when users rebooted their iPhones, in which case the attackers would have to start infection over again.
Beer’s write-up hints that the attack may be the work of a nation state group trying to gather intel on specific groups of people for political reasons. We can’t verify if that’s true but if it is, it wouldn’t be the first.
Even if the average iPhone user wasn’t the target of the campaigns described by Google, that’s little comfort. We don’t know what other campaigns the group behind them may have been running or who else knew about these exploits.
However, one major strength of Apple’s platform is that the process of deploying updates is very smooth – a big difference from Android where updates aren’t available for some handsets and can take months to become available for others.
iOS has been secure against the exploit chains used in these attacks since version 12.1.4. To check what version you’re using, go to Settings > General > Software Update. This will tell you what version of iOS you’re using and if a newer version is available.