iPhones “silently” hacked for years

iPhone users have been “quietly” hacked by rogue websites, according to Google.

The tech giant warned that hackers compromised iPhones after users simply visited certain affected websites and security experts have called it “an alarming security failure”.

Initially, it was thought that either China or Russia were likely targeting an ethnic minority within their respective domains.

TechCrunch have even gone so far to claim that:  “sources familiar with the matter have said that the websites were part of a state-backed attack—likely China—designed to target the Uighur community in the country’s Xinjiang state.”

An article in Forbes noted: “The fact that a nation state is implicated in a mass targeting of Apple’s “locked down” devices against a section of its population, and seemingly escaped notice or censure for two years or more, is a devastating shock to the Apple community. If China can do this, then others can as well. And the solid sense of security has been shattered.”

Project Zero

Google’s Project Zero team revealed that a recent prolific hacking campaign lasted two years and uncovered earlier this year.

The team hunts for security flaws in software and microprocessor firmware — independent of their manufacturer — that criminals, state-sponsored hackers and intelligence agencies use.

Just clicking on the website allowed hackers to access users’ personal data such as photos and messages.

Although Apple has now fixed the vulnerabilities, thousands of iPhone users are believed to have been exposed.

News of the hack comes just as Apple confirmed its September 10 launch date for the upcoming iPhone 11.

The Google cyber team said the hack affected most iPhone models – even though the Apple devices are known for their privacy and security.

The bug affecting the phones has now been fixed but many iPhone users will have been potential victims of the hack.

It’s thought that at least 2,000 visitors could have been compromised in the breach.

Hackers uncovered contacts, images and even GPS location data.  They were also able to mine info from apps including Instagram, WhatsApp and Gmail.

This info was then relayed back to a mystery server every 60 seconds.

By visiting one of the tainted websites some iPhones were infected with an implant capable of sending the smartphone owner’s text messages, email, photos and real-time location data to the hackers behind the operation.

Project Zero’s Ian Beer said that only a “small collection of hacked websites” was uncovered.

“There was no target discrimination – simply visiting the hacked site was enough for the exploit server to attack your site.

“And if it was successful, install a monitoring implant.

“We estimate that these sites receive thousands of visitors per week.”

He added: “[Google] was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12.

“This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.

Only one attacker has so far been caught according to Google but think that others may be operating similar scams.

Google said that Apple was notified of the issue on February 1, 2019.

Apple then patched the flaw six days later, protecting users against the bug.

In a blog post, Mr Beer added that absolute digital security could not be guaranteed.

Smartphone users must ultimately “be conscious of the fact that mass exploitation still exists and behave accordingly”

And that users must treat their mobile devices “as both integral to their modern lives, yet also as devices which, when compromised, can upload their every action into a database to potentially be used against them”.

Avoid future breaches

Tech experts say updating to the latest software version is important to protect against similar hacks and can be done wirelessly.

This can be done easily:

Plug your iPhone into a power socket, and connect to a Wi-Fi network

Tap Settings > General > Software Update

Tap ‘Download and Install’

Tap ‘Install’ to update immediately, or tap ‘Later’ and choose ‘Install Tonight’ to update while your phone is plugged in overnight

In a blog post, Mr Beer added that absolute digital security could not be guaranteed.

Smartphone users must ultimately “be conscious of the fact that mass exploitation still exists and behave accordingly

And that users must treat their mobile devices “as both integral to their modern lives, yet also as devices which, when compromised, can upload their every action into a database to potentially be used against them“.

Scroll to Top