Yes, you read it right, a website could hack iPhone.
In January this year, it was the very first time when Apple disclosed that active install base of iPhone has reached 900 million. With a global active installed base is expected to exceed 1 billion this year, Apple’s iPhones continue to be some of the most desired smartphones worldwide. Therefore, the reported incidents of a coordinated hacking campaign attacking iOS users, undoubtedly, come as unpleasant news to the tech magnate.
Apple iPhone, famous for their locked-down security, are under threat of being hacked by simply visiting a normal looking website. A report published recently in a disquieting blog post by Google’s Project Zero researcher Ian Beer states that an iPhone hacking campaign, discovered earlier this year, is targeting iPhone users through hacked websites. Simply visiting such websites once is enough for the exploit server to attack your iOS device.
iPhone Hacking: Watering Hole Attacks
Known as watering hole attacks, these exploits can compromise the security of end-users by infecting websites and using them as bait to load malware into the victim’s device. These malware or malvertisements infect devices visiting the website. This technique is one of the most used hacking techniques today and is used to conduct identity theft and steal sensitive information from unsuspecting victims.
This iPhone hack epidemic was brought to attention earlier this year by Project Zero’s cybersecurity researchers. It included at least five iPhone exploit chains with the ability to remotely jailbreak an iPhone and implant it with spyware by exploiting 14 different flaws in Apple’s iOS, including flaws in Safari Web Browser, iOS kernel and sandbox escape issues. According to researchers these can attack devices with the iOS 10 and succeeding mobile operating systems.
These attacks are programmed to steal photos, iMessages, and live GPS location data from devices and upload them to an external server every sixty seconds. Also, the implant can gain access to the device’s keychain data which contains authentication tokens, credentials and certificates accessed by the device.
Other popular end-to-end encryption apps on iOS platform like Whatsapp and Telegram are also vulnerable to these exploits.
What to Do?
Ian Beer warns users that while rebooting their iPhone can automatically wipe off the implant, albeit revisiting the hacked website would again reinstall it. Given that these websites receive thousands of visitors weekly, avoiding them may not be easy. Furthermore, attackers can use already stolen information to access various accounts and services even if the implant is wiped.
Beer also notes that the group behind the iPhone hacking could be targeting users of iPhones in certain communities for over two years.
Although no information about the hacked websites was released, Apple assures its users that the majority of these issues have been patched. iOS users are advised to update their devices to avoid such malicious hacking campaigns. Even though the tech behemoth is known for its not so smooth relationship with security researchers, Apple issued patches just a week later after Google disclosed the vulnerabilities being exploited by the hackers.
Apple recently made the news for providing security researchers with “hacking-friendly” iPhones with the goal of increasing their security even more by letting researchers hack their systems and using the data to make it more difficult for nefarious individuals and groups to attempt to do the same.