The Apple iPhone was hacked by a watering hole attack last year. Google’s Threat Analysis Group and Apple worked together to patch it. No one will ever know how many iPhones were hacked, but the security community is aghast at the ease the supposedly immune iPhone hack was.
Google’s Ian Beer posted details of how the Apple iPhone was hacked (here), and it is a lengthy document. Any iPhone visiting an infected website (and there were many infected high profile sites) enables hackers to gain root control to steal private data like iMessages, photos and GPS location in real-time, and much more.
Malwarebytes has analysed the tome here, but in the interests of clarity we have done an overview of how the Apple iPhone was hacked
Hacked websites were attacking iPhones, infecting them with malware. These sites, which see thousands of visitors per week, distributed iOS malware over two years. You could be infected just by visiting the website.
While iOS has been relatively free of malware, jail-broken devices (as is common in Asia) were always at risk. This needed no jail-break, no text message, no poisoned app – nothing.
According to Beer, the websites “Were part of indiscriminate watering hole attacks against their visitors using 14 different vulnerabilities in iOS combined into five different attack chains.”
The infection was able to escape the iOS sandbox
The unnamed iPhone malware implant escaped the iOS sandbox to run as root. That means it bypasses iOS security mechanisms and has the highest level of privileges.
The implant communicates with a command and control (C&C) server on a hard-coded IP address over plain, unencrypted HTTP. In addition to uploading data to the server, it can also receive several commands from the server.
- systemmail: upload email from the default Mail.app
- device: upload device identifiers (IMEI, phone number, serial number etc)
- locate: upload location from CoreLocation
- contact: upload contacts database
- callhistory: upload phone call history
- message: upload iMessage/SMSes and more that are unencrypted
- notes: upload notes made in Notes.app
- applist: upload a list of installed non-Apple apps
- keychain: upload passwords and certificates stored in the keychain
- recordings: upload voice memos made using the built-in voice memos app
- msgattach: upload SMS and iMessage attachments
- priorapps: upload app-container directories from hardcoded list of third-party apps if installed (appPriorLists)
- photo: upload photos from the camera roll
- allapp: upload container directories of all apps
- app: upload container directories of particular apps by bundle ID
- dl: unimplemented
- shot: unimplemented
The most likely users of such information are State (Country) actors or to fill in more of a person’s dark web profile to enhance ID theft. Encrypted messages such as Whatsapp or Telegram are also unloaded in plain text as they are only encrypted as sent.
Which websites were infected?
This aspect has left iPhone users panicking. The good news is that the latest iOS version patches the issues and a reboot of the phone stops the attack. If you don’t update iOS, then we suggest you do so.
There is a suggestion that websites on religious, ethnic or locational grounds were targets.
GadgetGuy’s take – what a revelation – Apple iPhone was hacked with ease
That the supposedly immune iPhone was hacked without a jailbreak or access to the physical phone is bad enough. That it could have been happening for two years tops that. And it took Google to find and help remediate it – good Google.
As Malwarebytes says,
“Now that it has happened, people will not look at the iPhone in quite the same way.
Although Apple doesn’t allow antivirus software on iOS, there does need to be some means for users to check their devices for known threats. Perhaps something involving unlocked devices connected by wire to trusted machines? If such a thing were possible, this attack probably wouldn’t have gone undetected for two years.
Hint, hint, Apple!