Skip to main content

iPhones hacked by malicious websites

(Image credit: Shutterstock.com)

The security of iPhones  has been called into question after researchers discovered that Apple's mobile devices could be at risk of hijacking.

A report from Google's Project Zero security team discovered a number of malicious websites were able to hack into a victim's iPhone without them knowing, infecting the devices with malicious software that was able to data such as contact info, media files and even GPS location.

Hackers would be able to exploit a number of previously unknown software flaws to quietly take over a victim's device, with versions of iPhone software up to and including iOS 12 affected.

Indiscriminate

Outlining the "indiscriminate" attack in a blog post, Google's researchers warned that victims could be affected by the flaws thanks to the "sustained effort" of the hackers.

“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” Project Zero researcher Ian Beer wrote.

Five distinct iPhone exploit chains comprising fourteen seperate flaws were discovered by the researchers, including seven for the iPhone's Safari web broswer. 

Once infected, hackers could also detect what apps the user had installed, hoovering up data from popular services such as Instagram, WhatsApp and Telegram, as well as Google products such as Gmail and Hangouts.

The vulnerabilities were exploited after the victim visited any of a small collection of hacked websites uncovered by Google's Threat Analaysis Group. These sites were used in a so-called 'watering hole' attack which caused the infected device to visit certain sites up to thousands of times per week for a period of at least two years.

Google's team reported the flaws to Apple earlier this year, with the flaws being patched in the release of iOS 12.1.4 on February 7th, however Beer noted that this could only be one of many attacks against iPhone software.

"Keep in mind that this was a failure case for the attacker," he noted, "for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen."