iPhones are safer than other smartphones – or not? The mantra of Apple fans is now being called into question by a discovery by Google security researchers. They’ve discovered websites that have been infuriating iPhones with “surveillance implants” for years on a grand scale. They read contacts, photos and possibly even the stored passwords on the device – at the mere call of the Websites.
Google’s Project Zero security researchers discovered the previously unknown security vulnerabilities that gaped since version 10 to version 12 in Apple’s iOS operating system, already in February. According to a TechCrunch report, Google has given Apple a weeklong deadline to close because of the severity of the vulnerabilities. After six days Apple released an update with iOS 12.1.4, which closed the gaps.
Thousands of iPhone users unnoticed bugged
By this time, however, already thousands of iPhone users are likely to have been unnoticed bugs, reports Google. The security researchers had discovered several compromised websites that infected thousands of innocent iPhone users per week with interception software. “The mere visit to the site was enough for the exploit server to attack the device and, if successful, install a surveillance implant,” says Google researcher Ian Beer.
According to Google researchers, the infection, in which the backers gained administrative rights on the devices, was carried out using five infection methods and taking advantage of over a dozen security holes – seven of them in the Safari iPhone browser. If the campaign’s backyard was infected by an iPhone, contacts and messages were sucked off and the position of the iPhone owners was recorded. Also on the stored passwords was apparently access possible.
Campaign took at least two years
The malware campaign took at least two years, Google estimates. How many iPhone users were bugged during this period is not known. However, the compromised sites that infected them experienced a few thousand hits per week during the campaign. According to Google researcher Beer is not ruled out that currently running other hacking campaigns against iPhone users.
Apple itself has not commented on the cause, but is endeavored to quickly detect and close security holes in its software. The iPhone maker recently raised the maximum “bounty” paid to finders of gaps as part of its in-house “Bug Bounty” program, to a million dollars. Under these new rules, which will apply later this year, Google’s Project Zero would be eligible for several million dollars from Apple.