Security researchers at Google have found evidence of a “sustained effort” to hack iPhones over a period of at least two years.The attack was said to be carried out using websites which would discreetly implant malicious software to gather contacts, images and other data. Google’s analysis suggested the booby-trapped websites were said to have been visited thousands of times per week, the BBC reported.
Mobile device security has historically been a slow-moving and often frustrating undertaking, but the result has created spikes in mobile device weaponization like the news we saw today. This raises profound concern about the security of the devices we carry around on an everyday basis, and which we increasingly use to access and process both personal and corporate data. By hacking into popular mobile apps like WhatsApp and iMessage, cybercriminals can gain access to sensitive information like encrypted messages, personal health information, location data, and in extreme cases, things like industrial plans or sovereign policies like we saw with the recent Huawei news in Africa. This type of attack will come as a shock to some, as it goes against the security promised by these types of applications. But the security software likely isn’t the culprit here – it’s possible this breach is the result of a lapse in the security update integration time. Companies should be responsible for immunizing their applications to prevent potential devastation, as ineffective mobile device and data security is something that will continue to generate concerns in the coming years.
The identification of these exploits targeting iOS devices prove that even products designed from the ground up to protect your privacy aren’t 100% secure. The notion that only you can access your device is far from the truth. Your device and the apps that run on it are supported by many third-parties who can potentially access your behavioral and personal information, from how many steps you’ve taken this morning to where you bought your coffee to which article you read on which online publication. That’s just three of the many things you did this morning; it doesn’t include your location even with your GPS off, the credit card balance you paid off, and what pictures you IM’d to whom. This is today’s surveillance economy made possible by the digital ecosystem’s growing presence—with our unmindful consent–in our daily lives. And in this economy, the only way we can restore our privacy is for manufacturers, developers, online publishers, adtech/martech, data management providers, and everyone else in between, to work together on setting higher privacy and security standards that should include knowing who all their digital third parties are, what these third parties are doing and for what purpose, and uprooting these third parties from the digital ecosystem when they violate digital policies.
Ironically this is not limited to just iPhone’s and many websites exist that are trying to implant malware into all vendors mobile devices to steal data or gain persistent access.
What is surprising here is that they are using zero days and, in my experience, cyber criminals nor nation states will waste zero days on limited opportunistic cyberattacks. This typically means that such cyberattacks using zero days are targeted usually against a specific set of victims in order to access extremely sensitive data or gain persistent access, to laterally move to more sensitive networks or critical infrastructure, at a later time.
What is surprising as well is why Google has not called out the websites but instead pointed to the vulnerabilities. If the website hosting harmful malware are legitimate companies with serious infections then they are also responsible and must take action to secure them.
This just highlights how important it is to keep your devices updated to the latest iOS. Threat actors will not stop at anything to try and exploit Apple’s operating system where they can. Not only would such inconvenience or even malware have such a damaging effect to Apple and its users, cybercriminals around the world see breaking Apple’s ecosystem as a sort of a pinnacle of their ‘career’ so this amount of attacking will only ever increase. There are much kudos to be had to take down such a secure environment of this level that it gets more attention than it possibly warrants from bad actors.
This is an interesting piece of research and it confirms what many have long suspected – that sophisticated attack chains targeted at iOS are being constantly developed, and sooner or later there will be a big problem for Apple users.
However, let’s not panic just yet: If this set of exploits is working in the wild this research has not found any evidence of it and, in fact, as the Google team note, “this was a failure case for the attacker:” However, the holy grail of iOS kernel compromise appears to be within reach and we should not be complacent. These are exploits delivered by a compromised or malicious web site, and as such, would lend themselves to phishing and waterhole campaigns where victims are lured or tricked into visiting the site for the malicious software to be run by their Safari browser.
The best action users can take is to make sure their iOS devices are up to date with the latest patches from Apple – with the Apple ecosystem preventing the user (or malware purporting to be the user) side-loading apps from outside of the Apple store. It remains largely unnecessary to run separate AV software on iOS devices and in the case of the exploits researched by Google, AV would likely not have stopped data exfiltration anyway. If you’re on iOS, the simple advice is still to update your phone and allow it to reboot when it asks to (don’t keep telling it to do it “later”) and don’t “jailbreak” your device if you want to remain inside that cosy walled garden.