How easy it was to hack the iPhone, even the latest iPhone like the iPhone XR or the iPhone XS running iOS 12? Very easy, says Google’s Project Zero, a team of elite cyber security researchers. A researcher with the Project Zero team says that it found a serious exploit earlier this year which revealed the iPhone could be hacked through a malicious website if a user opened that site through Safari browser. The bug was so serious that hackers were able to load monitoring code into an iPhone as soon as the website was opened on the phone and then they could use loaded code to track users, including their activities in apps like Instagram and Facebook.
“Earlier this year Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day,” wrote Ian Beer of Project Zero. “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.”
Beer in his post on official Google site explained that “Project Zero’s mission is to make 0-day hard… We often work with other companies to find and report security vulnerabilities, with the ultimate goal of advocating for structural security improvements in popular systems to help protect people everywhere.”
It is believed that the Project Zero is staffed with some of the best cyber security experts, and they routinely find serious security bugs and vulnerabilities in tech products created by Google as well as other companies such as Apple and Microsoft.
In his post, Beer says that method used by hackers to hack into iPhone was confirmed earlier this year. “Initial analysis indicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery. We reported these issues to Apple with a 7-day deadline on 1 Feb 2019, which resulted in the out-of-band release of iOS 12.1.4 on 7 Feb 2019,” he wrote.
In other words, if you have an iPhone ensure that it is now running iOS 12.1.4 or newer version of iOS.
While the bug that allowed hackers to get into an iPhone doesn’t seem as widespread as some of the security problems that affect Android phones — just yesterday, we heard how CamScanner, an app with over 100 million install, was targeting users through rogue code — the announcement from Project Zero matters. It matters because there is a perception that iPhone is the most secure publicly-available smartphone and hence it is often used by lawmakers, top politicians, bureaucrats, businessmen, journalists, human rights lawyers and others who do sensitive work.
Beer hinted at the same when he wrote, “Real users make risk decisions based on the public perception of the security of these devices.” Then the Google security researcher advises that no phone — not iPhone nor Android phone — should be considered completely safe.
The bug potentially left anyone using an iPhone at a huge risk because just by tricking them into visiting a website, hackers could take total control of the phone and could monitor their activities and data.
Thousands of iPhone users were infected. Writes Beer, Google team was “able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.