Affiliate Disclosure: By buying the products we recommend, you help keep the lights on at MakeUseOf. Read more.
You may have heard about the discovery of a hack which targeted iPhone devices via websites for years. Google announced it had uncovered the issue as part of its Project Zero security analysis mission, and it showed how hackers could have accessed thousands of devices over a two year period.
So how were websites able to hack iPhones? And what should you do to keep yourself safe from these types of hack? We’ve got all the details you need to know.
How Websites Were Able to Hack iPhones
Here’s how the security issue worked, as revealed in August 2019 by Google Project Zero. Traditionally, people thought it was hard or even impossible to hack iOS devices as long as they weren’t jailbroken. To hack an iOS device requires knowledge of a “zero day vulnerability”.
This is a vulnerability which has not yet been disclosed to Apple or to the security community. As soon as Apple discovers a vulnerability, it patches it. This means that as soon as a vulnerability becomes widely known it is almost immediately fixed.
In the case of these hacks, however, websites were able to hack iPhones which visited them. The hackers achieved this using 14 different vulnerabilities, which were combined into five attack chains.
An “attack chain” is where several vulnerabilities are used in concert to attack a device. Any one of the vulnerabilities would not be enough to hack a device on its own, but together they can. All together, hackers could use the vulnerabilities together to install an “implant” onto a device which could run as root.
That means it bypassed the operating system’s security protocols and had the highest possibly level of security privileges.
Just visiting one of these sites was enough to install a piece of monitoring software on your device. More concerningly, Google said it estimated that thousands of people visited the sites every week. This leaves the possibility that hackers could have infected thousands of devices over several years.
What the Hacks Were Able to Do
The list of privileges that the hack gained access to is worryingly comprehensive. The implant was able to locate devices in real time, see call and SMS history, look at notes in the Notes app, look at passwords, listen to voice memos, and view photos. It was even able to see encrypted messages like those shared on apps like iMessage, Telegram, or WhatsApp.
The implant was able to view encrypted messages because it had access to the database files on the phones. These files allow you to read and send encrypted messages. The operating system should protect these files from third-party apps. But because the implant had root access, it could see these files and use them to read encrypted messages.
It could also upload emails from the phone to the hacker’s server. Or it could copy all of the contacts stored on the phone. The real-time GPS tracking is particularly scary as it meant that the hackers could see the current location of a user at any time and follow their movements.
Who the Hacks Affected
Apple released a statement addressing the issue. It said that “the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described”. It also said that “[t]he attack affected fewer than a dozen websites that focus on content related to the Uighur community”.
The Uighur people are a minority ethnic group who are native to China. They suffer repression and extreme government control over their religious and social practices by the Chinese governemnt. The implication in the Apple statement is that the Chinese government may have used the iPhone malware to spy on Uighur people in particular as a method of monitoring and controlling them.
Apple accused Google of “stoking fear among all iPhone users that their devices had been compromised”. This implication was that most iPhone users needn’t worry about the hacks as they only targeted a small minority of people. However, all users should be aware of the fact that the vulnerabilities exist and were used to thoroughly compromise devices for two reasons.
Firstly, the use of these vulnerabilities to target a minority group for persecution is something all people should be concerned about. Secondly, it demonstrates that iOS devices are not immune to exploits and that iPhone users do need to be aware of security issues.
Additionally, it is worth considering what the potential danger of this hack could have been. The fact that only a small minority of people were targeted is not the result of limitations of this vulnerability. The hackers were only interested in targeting this one group. However, if they had wanted to, they could have used this same method to infect iPhones on a much broader scale.
What Should iPhone Users Do About the Hacks?
Although this news is scary, iPhone users don’t need to panic. Apple patched the vulnerability some time ago. As long as you are running iOS 12.1.4 or above, you are now immune to this particular attack. This shows why it’s so important to update your device’s software regularly. Companies usually fix security issues like this in the latest versions of their software.
If you think your device has been infected by the malware, you should update it to the latest version of iOS as soon as possible. The phone will reboot as part of the installation process. The new software and the reboot will remove the malware from your device.
Unfortunately it’s not possible to run antivirus software on iOS. This means there’s no way to check your device for future threats like this malware. The best thing you can do to keep your device safe is to update it regularly.
iPhone Users Should Learn About Security Threats
Although the iPhone is still a very secure device on the whole, it is not perfect. As this issue demonstrates, it is possible to hack iOS devices and steal huge amounts of data from them.
To help keep your iPhone safe, you can learn about iPhone security apps and settings you must know about.