The Apple iPhone was hacked by a watering hole attack last year. Google’s Threat Analysis Group and Apple worked together to patch it. No one will ever know how many iPhones were hacked, but the security community is aghast at the ease the supposedly immune iPhone hack was.
Google’s Ian Beer posted details of how the Apple iPhone was hacked (here), and it is a lengthy document. Any iPhone visiting an infected website (and there were many infected high profile sites) enables hackers to gain root control to steal private data like iMessages, photos and GPS location in real-time, and much more.
Malwarebytes has analysed the tome here, but in the interests of clarity we have done an overview of how the Apple iPhone was hacked
Hacked websites were attacking iPhones, infecting them with
malware. These sites, which see thousands of visitors per week, distributed iOS
malware over two years. You could be infected just by visiting the website.
While iOS has been relatively free of malware, jail-broken devices (as is common in Asia) were always at risk. This needed no jail-break, no text message, no poisoned app – nothing.
According to Beer, the websites “Were part of indiscriminate watering hole attacks against their visitors using 14 different vulnerabilities in iOS combined into five different attack chains.”
The infection was able to escape the iOS sandbox
The unnamed iPhone malware implant escaped the iOS sandbox to run as root. That means it bypasses iOS security mechanisms and has the highest level of privileges.
implant communicates with a command and control (C&C) server on a
hard-coded IP address over plain, unencrypted HTTP. In addition to uploading
data to the server, it can also receive several commands from the server.
systemmail: upload email from the default
device: upload device identifiers (IMEI, phone
number, serial number etc)
locate: upload location from CoreLocation
contact: upload contacts database
callhistory: upload phone call history
message: upload iMessage/SMSes and more that are
notes: upload notes made in Notes.app
applist: upload a list of installed non-Apple
keychain: upload passwords and certificates stored
in the keychain
recordings: upload voice memos made using the
built-in voice memos app
msgattach: upload SMS and iMessage attachments
priorapps: upload app-container directories from
hardcoded list of third-party apps if installed (appPriorLists)
photo: upload photos from the camera roll
allapp: upload container directories of all apps
app: upload container directories of particular
apps by bundle ID
The most likely users of such information are State (Country) actors or to fill in more of a person’s dark web profile to enhance ID theft. Encrypted messages such as Whatsapp or Telegram are also unloaded in plain text as they are only encrypted as sent.
Which websites were infected?
This aspect has left iPhone users panicking. The good news is that the latest iOS version patches the issues and a reboot of the phone stops the attack. If you don’t update iOS, then we suggest you do so.
There is a suggestion that websites on religious, ethnic or
locational grounds were targets.
GadgetGuy’s take – what a revelation – Apple iPhone was hacked with ease
That the supposedly immune iPhone was hacked without a jailbreak
or access to the physical phone is bad enough. That it could have been happening
for two years tops that. And it took Google to find and help remediate it –
As Malwarebytes says,
“Now that it has happened, people will not look at the iPhone in quite the same way.
Although Apple doesn’t allow antivirus software on iOS, there does need to be some means for users to check their devices for known threats. Perhaps something involving unlocked devices connected by wire to trusted machines? If such a thing were possible, this attack probably wouldn’t have gone undetected for two years.