Google’s Project Zero team revealed 14 iPhone security flaws hackers have secretly exploited for two years, questioning whether Apple’s device is really so “unhackable” as has long been claimed.
According to the series of blog posts published by Google’s zero-day security analyst team, the attackers indiscriminately used watering hole attacks against iPhone users, installing monitoring implants to devices which have visited websites infected by the hackers.
Google researchers estimate that the infected sites receive thousands of visitors every week.
According to one blog post, the 14 vulnerabilities were a part of five unique iPhone exploit chains that covered almost every version of Apple’s mobile operating system from iOS 10 to the latest version of iOS 12, indicating that the hackers were working hard to exploit the security flaws.
Half of the iPhone vulnerabilities were discovered in Apple’s Safari browser, five in the kernel, and hackers also used two separate sandbox escapes to access data outside the permissions of an app or a process.
The hackers have launched one of the most comprehensive attacks ever deployed against iPhone users.
What proves this best is the broad access of the monitoring implant, which could acquire location data, photos, contacts, and sensitive information like passwords from the iOS Keychain after successful installation.
The attack had such deep access to iPhone systems that hackers could even read or eavesdrop the messages of victims on encrypted communications services like WhatsApp or iMessage.
There’s also a chance that the attackers have acquired access tokens from the Apple victims, which they could use to log into social media and communications accounts.
The ability to hack iPhones became a hot topic after the US Department of Justice (DOJ) sued Apple for refusing to help the FBI to hack a device owned by an ISIS terrorist.
Later on, the agency managed to break into the terrorist’s iPhone with the help of a third-party and released an extensively redacted document, revealing almost nothing about the methods they used to hack the device.