Sun Sentinel Palm Beach Edition
Google experts say websites infected iPhones
Suspected nation-state hackers used malware-laden websites to infect iPhones with spyware in what security researchers are calling the worst general security failure yet affecting the Apple devices.
Announced late Thursday by Google researchers, the vulnerabilities were fixed by Apple in February but only after thousands of iPhone users were believed exposed over more than two years.
The researchers did not say who was behind the cyberespionage or what population was targeted, but experts said the operation had the hallmarks of a nationstate effort.
Sensitive data accessed by the spyware included WhatsApp, iMessage and Telegram text messages, Gmail, photos, contacts and real-time location — essentially all the databases on the victim's phone. While the messaging applications may encrypt data in transit, it is readable at rest on iPhones.
“This is definitely the most serious iPhone hacking incident that's ever been brought to public attention, both because of the indiscriminate targeting and the amount of data compromised by the implant,” said former U.S. government hacker Jake Williams, the president of Rendition Security.
Google researcher Ian Beer said in a blog posted late Thursday that the discovery should dispel any notion that it costs a million dollars to hack an iPhone. That's a reference to the case of a United Arab Emirates dissident whose iPhone was infected in 2016 with so-called zero-day exploits, which have been known to fetch such high prices.
“Zero day” refers to the fact that such exploits are unknown to the developers of the affected software, and thus they have had no time to develop patches to fix it.
The discovery was made by Google’s external research team Project Zero, which hunts security vulnerabilities in software and microprocessor firmware, independent of their manufacturer, that criminals, statesponsored hackers and intelligence agencies use.
Since it was created in July 2014, the team has found and reported nearly 1,600 hardware and software vulnerabilities. But Project Zero has taken heat for its tough tactics: after reporting a bug, the team gives the vendor 90 days to fix it before Project Zero discloses the details publicly. (In some cases, Google will offer an additional 14-day
grace period.)
Google contends that the deadline produces the best results. Earlier this month, Project Zero said that about 95.8% of the bugs it finds and reports are patched before the 90-day deadline.
But when Project Zero informed Apple of the breach Feb. 1, it gave it seven days to fix it, citing the need for urgency. The iPhone maker released iOS 12.1.4 on Feb. 7.
Apple is guarded with its products, shielding them from even well-meaning hackers looking to probe iOS vulnerabilities. But the company gradually opened its products up to researchers, and recently announced plans to release a hackerfriendly phone to certain experts in the interest of uncovering vulnerabilities more quickly.