Hackers Used Websites to Gain Access to iPhones for Years

​​An attack against iPhone users went on for two years before Apple became aware and released patches to address the vulnerability, according to new research published by Google.

Researchers and Apple were unable to confirm how many iPhone users may have been impacted by the hack. But an analysis, released Thursday by Google's Project Zero, detailed the attack, which was carried out through a few hacked websites when iPhone users visited them using their device.

"The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using an iPhone 0-day," according to a blog post by Project Zero's Ian Beer. "There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week."

Using this access, the threat actors were able to gain access to a variety of data on the compromised iPhones.

"The data taken is the 'juicy' data," said Jonathan Levin, an author of books on Apple's operating systems, who spoke with MIT's Technology Review. "Take all the passwords from the keychain, location data, chats/contacts/etc., and build a shadow network of connections of all your victims. Surely by six degrees of separation you'll find interesting targets there."

TAG researchers notified Apple of the problem on 1 February 2019 and gave the manufacturer seven days to respond. That notification resulted in Apple releasing an updated version of its internal operating system for iPhone on 7 February 2019, which patched the vulnerabilities TAG identified before they were publicly disclosed.

TAG researchers then continued to study the exploit chains used to infiltrate iPhones through the attacks and put together an analysis to help individuals understand the security of their devices and mass attacks.

"Real users make risk decisions based on the public perception of these devices," Beer wrote. "The reality remains that security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised can upload their every action into a database to potentially be used against them."

Digital compromises, like the kind detailed in TAG's analysis, are also posing new risks for executive protection professionals who increasingly see their clients being targeted by cyberattacks that could provide information on their location or sensitive corporate information.

"For example, a protectee might have a digital assistant, such as an Amazon Alexa or Google Home device, that if compromised could be used to listen in on private conversations in the home," according to previous Security Management coverage. "Those conversations, in turn, could be used to blackmail the protectee to provide compensation or take a business action that could be detrimental to the company in order to prevent the compromising information from becoming public."