Security researchers at Google said they found malicious websites that served iPhone exploits for almost three years.
The attacks weren’t aimed at particular iOS users, as most iOS exploits tend to be used, but were aimed at any user accessing these sites via an iPhone.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” said Ian Beer, a member of Google Project Zero, Google’s elite security team.
The exploits also didn’t require any user interaction to trigger. Google said the first website to host any of the exploits went live on September 13, 2016. The websites appeared to have been hacked, and the exploits planted by a third-party, rather than the site owner.
“We estimate that these sites receive thousands of visitors per week,” Beer said.
14 exploits, five exploit chains, at least one zero-day
This nefarious and secretive hacking operation was discovered earlier this year when Google’s Threat Analysis Group (TAG) came across the hacked sites.
“We reported these issues to Apple with a 7-day deadline on 1 Feb 2019, which resulted in the out-of-band release of iOS 12.1.4 on 7 Feb 2019,” Beer said.
In total, Beer said Google found exploits targeting 14 iOS vulnerabilities, grouped in five exploit chains. Seven vulnerabilities impacted the iPhone’s web browser, five the kernel, and two were sandbox escapes. The exploits targeted iOS versions 10.x, 11.x, and 12.x.
Malware could steal messages, photos, GPS coordinates
Beer and his Project Zero colleagues have published teardowns of the five exploit chains, and the exploited vulnerabilities [1, 2, 3, 4, 5], along with blog posts detailing the JSC exploit that allowed hackers to gain an initial foothold in victims’ browsers, and an analysis of the implant that was left on infected devices.
According to Beer, this implant (the malware planted on infected iPhones) could “steal private data like iMessages, photos and GPS location in real-time.” The good news was that the implant wasn’t capable of establishing boot persistence on the device, and just rebooting the phone would remove, until the user revisited one of the hacked websites again.
Furthermore, Beer also noted that while most of the exploits targeted older vulnerabilities that Apple had already patched, at least one exploit chain used a vulnerability that was still a zero-day (unpatched). This was CVE-2019-7287 & CVE-2019-7286, patched in iOS 12.1.4, released in February 2019. [This zero-day was part of exploit chain #4 in the graph above]
The Google researcher also warned that other similar hacking campaigns and exploit chains might still be around, and described the sites Google found as “a failure case for the attacker.
“There are almost certainly others that are yet to be seen,” he said.
Google didn’t release any information about the sites serving the exploits.