Visiting hacked sites was sufficient to collect pictures and contacts of users
Researchers at Google’s internal safety team disclosed an unprecedented iPhone hacking operation that assaulted “thousands of customers a week” until it was interrupted in January.
The two-and – a-half-year procedure used a tiny collection of hacked websites to deliver malware to visitors ‘ iPhones. Users were compromised merely by visiting the sites: there was no need for communication, and some of the hackers ‘ techniques impacted even fully up-to-date devices.
Once hacked, the attackers were subjected to the deepest secrets of the user. Their place was uploaded every minute; they uploaded the keychain of their device, containing all their passwords, as well as their chat stories on famous applications including WhatsApp, Telegram and iMessage, their address book, and their Gmail database.
The silver fitting is that the implant did not persist: it was removed from memory when the phone was restarted unless the user revisited a compromised site. But Ian Beer, a Google Security Investigator, says: “Because of the scope of data that has been stole, attackers can still have constant access through the stolen keychain authentication tokens, even after they lose access to the device,” says Ian Beer.
Beer is a part of Project Zero, a white hacker team in Google that works to discover safety problems in popular technology, regardless of who produces them. The team became controversial because of its harsh revelation strategy: 90 days after reporting a bug to the victim, it will publish information in public if the bug has been fixed at the moment.
In total, 14 bugs were used to attack the iOS on five distinct “exploit chains” –strings of faults that can jump from bug to bug by hacker, improving the seriousness of each assault.
“This was an attacker’s failure situation,” Beer said, “as the campaign was also found and interrupted although it was hazardous. “There are almost definitely others that still have to be seen for this one campaign we have seen.
All consumers can do is be aware that mass exploitation still exists and behaves accordingly ; their mobile phones can both be considered as essential to their contemporary life, but also as tools that can upload their every action in a database if compromise.
Google told Apple that on 1 February it reported safety problems. Apple published a system update on February 7, which resolved the defects.
Peter Beaumont is a senior reporter on the Guardian’s Global Development desk. He has reported extensively from conflict zones including Africa, the Balkans and the Middle East and is the author of The Secret Life of War: Journeys Through Modern Conflict. Email: peter@thehearus.com
