Hacking the iPhone has long been considered a rarified endeavor, undertaken by sophisticated nation states against only their most high-value targets. But a discovery by a group of Google researchers has turned that notion on its head: For two years, someone has been using a rich collection of iPhone vulnerabilities with anything but restraint or careful targeting. Instead, they've indiscriminately hacked thousands of iPhones just by getting them to visit a website.
On Thursday evening, Google's Project Zero security research team revealed a broad campaign of iPhone hacking. A handful of websites in the wild had assembled five so-called exploit chains, tools that link together security vulnerabilities, allowing a hacker to penetrate each layer of iOS's digital protections. The rare and intricate chains of code exploited a total of 14 security flaws, targeting everything from the browser's "sandbox" isolation mechanism to the core of the operating system known as the kernel, ultimately gaining complete control over the phone.
They were also used anything but sparingly. Google's researchers say the malicious sites were programmed to assess devices that loaded them, and to compromise them with powerful monitoring malware if possible. Almost every version of iOS 10 through iOS 12 was potentially vulnerable. The sites were active since at least 2017, and had thousands of visitors per week.
"This is terrifying," says Thomas Reed, a Mac and mobile malware research specialist at the security firm Malwarebytes. "We’re used to iPhone infections being targeted attacks carried out by nation-state adversaries. The idea that someone was infecting all iPhones th ..
Support the originator by clicking the read the rest link below.
