Google says iPhone security flaws let websites hack away for years

Malicious sites installed a "monitoring implant" that compromised personal data on iPhones that simply visited them, according to security researchers.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Sean Keane Former Senior Writer
Sean knows far too much about Marvel, DC and Star Wars, and poured this knowledge into recaps and explainers on CNET. He also worked on breaking news, with a passion for tech, video game and culture.
Expertise Culture, Video Games, Breaking News
Alfred Ng
Sean Keane
3 min read

Google found some malicious websites that could hack into people's iPhones.

Angela Lang/CNET

Google's Project Zero security researchers have revealed that they found several hacked websites that slipped malware onto people's iPhones for years. If people visited one of the sites, their messages, photos and location data could have been compromised. The team reported its findings to Apple earlier this year, and the vulnerability was patched in the same update that fixed the FaceTime eavesdropping bug.

"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," Project Zero's Ian Beer wrote in a Thursday blog post detailing the team's discovery. "We estimate that these sites receive thousands of visitors per week."

The attacks are a rare display of vulnerabilities for iPhones, which are generally considered highly secure devices. Apple has offered up to $1 million in bug bounties for security researchers who can find critical vulnerabilities on its devices. Often, attacks on iPhones are difficult to carry out, and usually limited to espionage between countries. It's unclear who's behind this attack that could compromise millions of devices just by a single visit. 

"It's always been possible, but the cost of these vulnerabilities on the open market means they've never been used in an attack like this before," Thomas Reed, director of Mac and mobile security at Malwarebytes, said in an email. "In the past, iOS malware has been primarily used in targeted attacks by nation-states. By targeting specific people, they limit the exposure of the vulnerabilities used, protecting them against discovery by Apple."

Watch this: Apple fixes FaceTime flaw, Google pulls Fiber service from Louisville

The hack didn't work off of any single vulnerability. Google's team found that it used 14 zero-day vulnerabilities across five separate exploit chains. The vulnerabilities ran from iOS 10 to the current version, iOS 12, meaning the hackers targeted iPhone users over at least two years. When Google disclosed the vulnerability to Apple in February, the company issued a patch less than a week later. 

This hack gave attackers full control of a victim's iPhone, allowing them to install malicious apps, get real-time location data and steal photos and messages, even if they're encrypted. Because of the malware's deep level of access, it could even get contents of messages before they were encrypted, Google's researchers said. The implant could access the device's keychain, which includes passwords and database files used by end-to-end encrypted messaging apps like WhatsApp, Telegram and iMessage.

As the attacks siphoned off people's personal information, they were sending that data without encryption, which meant that anyone on the same Wi-Fi network could also see all of the stolen content. 

The malware was wiped if people rebooted their iPhones, but would return if they visited one of the hacked sites again, the report noted. Also, even if the malware was wiped, hackers could cause more damage with stolen passwords and private messages it obtained. There's also no way to tell if you've been affected, Reed said. 
iOS doesn't allow for malware scans, and it's possible that contributed to the hack being hidden for so long, the security researcher said. 

"The very nature of iOS, intended to keep devices secure, may have worked against us in this case by preventing the attack from being discovered," Reed said.

Apple declined comment, but make sure your iPhone is fully updated to prevent this vulnerability from hitting you.

First published Aug. 30 at 2:52 a.m. PT.
Update, 3:38 a.m. PT: Notes that Apple declined comment and adds details.
Update, 5:09 a.m. PT: Adds more details and context on the hack.
Update, 8:48 a.m. PT: Adds quotes from security researcher.

Here's every iPhone ever made from 2007 to today

See all photos