‘Visiting hacked site was enough’: Google says it discovered major iPhone security exploits
Google’s cyber security team has disclosed what it said were critical vulnerabilities in the iPhone, potentially allowing hackers to access millions of devices over the last two years.
Days after an emergency security patch was rushed out for the latest iPhone operating system (iOS), Google’s Project Zero has claimed that previous iOS versions were susceptible to major intrusions, in some cases letting hackers install “monitoring implants” on devices to steal sensitive information.
© Reuters / Clodagh Kilcoyne
The security researchers found that a “collection of hacked websites” were used to exploit fourteen different vulnerabilities on iPhones running on iOS versions 10 through 12.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” wrote Project Zero’s Ian Beer in a detailed blog post.
We estimate that these sites receive thousands of visitors per week.
Beer added that the team’s findings indicate that a group of hackers made a “sustained effort” to breach iPhones over a two year period.
The monitoring implants gave hackers the ability to access everything from images and messages stored on an affected device, apps like Gmail, WhatsApp and Instagram, and highly sensitive information like banking logins and other passwords, potentially leaving customers open to serious identity theft.
While Apple did eventually patch the holes in its iOS update 12.1.4, for years customers were vulnerable to the intrusions, which could still affect users on older devices, or who have not updated their software.
Apple has not yet weighed in on the disclosures.
Apple is not the only tech firm struggling to protect users’ data. Google itself has come under fire over privacy issues. The company was taken to court in the United Kingdom in 2017 over allegations of illegal data collection that affected up to 5.4 million people, while the operating system on Google’s Android – a major iPhone competitor – was found to collect ten times more user data than Apple’s counterpart. The tech giant also agreed to shell out $22.5 million to the US Federal Trade Commission in 2012 over “misrepresented privacy assurances” to customers.