Hack Exploited Apple Users for Two Years

Security

Researchers from Google’s Project Zero have discovered a threat campaign that operated against users of Apple iOs devices for two years. 

Earlier this year Google’s Threat Analysis Group (TAG) discovered that a small collection of hacked websites was being used to carry out indiscriminate watering-hole attacks against visitors, using iPhone zero-day.  

Victims were ensnared just by visiting one of the hacked websites, which are estimated to have attracted thousands of visitors per week. This simple action alone was enough to inadvertently trigger an exploit server to attempt to install a monitoring implant on the user’s device.

Hackers exploited flaws in iPhone software to stealthily take over a victim’s device and access a user’s contact info, media files and GPS location, together with data from InstagramWhatsAppTelegram and Gmail.

TAG collected five separate, complete and unique iPhone exploit chains, covering most versions of the device from iOS 10 through to the most recent version, iOS 12. 

“This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” said Project Zero’s Ian Beer.

He went on to say that investigations into the root causes of the vulnerabilities revealed code that appeared to have never worked correctly, had missed the quality assurance checks or “likely had little testing or review before being shipped to users.”

TAG found 14 different software flaws, seven of which affected the iPhone’s Safari web browser. The group reported the issues to Apple with a seven-day deadline on February 1, 2019, which resulted in the out-of-band release of iOS 12.1.4 on February 7, 2019. 

After summarizing the findings, Beer warned users to wise up to the very real threat of cyber-attacks and to consider where the data they constantly put into their devices may one day end up.    

He said: “The reality remains that security protections will never eliminate the risk of attack if you’re being targeted. 

“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives yet also as devices which, when compromised, can upload their every action into a database to potentially be used against them.”

Products You May Like

Articles You May Like

New Test Service Launched to Gauge Tech Skills of Job Candidates
How Cloud-Based Automation Can Keep Business Operations Secure
Israeli Cops Arrest Cyber Surveillance Vendor’s Employees
How Visiting a Trusted Site Could Infect Your Employees
Nearly all of Ecuador’s citizens caught up in data leak

Leave a Reply

Your email address will not be published. Required fields are marked *