Skip to main content

Malicious websites were used to secretly hack into iPhones for years, says Google

Security researchers at Google say they’ve found a number of malicious websites which, when visited, could quietly hack into a victim’s iPhone by exploiting a set of previously undisclosed software flaws.

Google’s Project Zero said in a deep-dive blog post published late on Thursday that the websites were visited thousands of times per week by unsuspecting victims, in what they described as an “indiscriminate” attack.

“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” said Ian Beer, a security researcher at Project Zero.

He said the websites had been hacking iPhones over a “period of at least two years.”

The researchers found five distinct exploit chains involving 12 separate security flaws, including seven involving Safari, the in-built web browser on iPhones. The five separate attack chains allowed an attacker to gain “root” access to the device — the highest level of access and privilege on an iPhone. In doing so, an attacker could gain access to the device’s full range of features normally off-limits to the user. That means an attacker could quietly install malicious apps to spy on an iPhone owner without their knowledge or consent.

Google said based off their analysis, the vulnerabilities were used to steal a user’s photos and messages as well as track their location in near-realtime. The “implant” could also access the user’s on-device bank of saved passwords.

The vulnerabilities affect iOS 10 through to the current iOS 12 software version.

Google privately disclosed the vulnerabilities in February, giving Apple only a week to fix the flaws and roll out updates to its users. That’s a fraction of the 90 days typically given to software developers, giving an indication of the severity of the vulnerabilities.

Apple issued a fix six days later with iOS 12.1.4 for iPhone 5s and iPad Air and later.

Beer said it’s possible other hacking campaigns are currently in action.

The iPhone and iPad maker in general has a good rap on security and privacy matters. Recently the company increased its maximum bug bounty payout to $1 million for security researchers who find flaws that can silently target an iPhone and gain root-level privileges without any user interaction. Under Apple’s new bounty rules — set to go into effect later this year — Google would’ve been eligible for several million dollars in bounties.

A spokesperson for Apple did not immediately comment.



from Apple – TechCrunch https://ift.tt/32db8Ot

Comments

Popular posts from this blog

Axeleo Capital raises $51 million fund

Axeleo Capital has raised a $51 million fund (€45 million). Axeleo first started with an accelerator focused on enterprise startups. The firm is now all grown up with an acceleration program and a full-fledged VC fund. The accelerator is now called Axeleo Scale , while the fund is called Axeleo Capital . And it’s important to mention both parts of the business as they work hand in hand. Axeleo picks up around 10 startups per year and help them reach the Series A stage. If they’re doing well over the 12 to 18 months of the program, Axeleo funds those startups using its VC fund. Limited partners behind the company’s first fund include Bpifrance through the French Tech Accélération program, the Auvergne-Rhône-Alpes region, Vinci Energies, Crédit Agricole, BNP Paribas, Caisse d’Épargne Rhône-Alpes as well as various business angels and family offices. The firm is also partnering with Hi Inov, the holding company of the Dentressangle family. Axeleo will take care of the early stage in...

Puls raises $50 million for in-home technical support

A fund affiliated with the Singaporean government has a great interest in making sure that American consumers are getting the tech support they need. Temasek, the multi-billion-dollar investment fund associated with the government in Singapore, has led a $50 million round for  Puls Technologies, Inc. , a San Francisco-based company aiming to be the tech support for American homes and offices. Current investors Sequoia Capital, Red Dot Capital Partners, Samsung NEXT and Viola Ventures all participated in the new financing, alongside additional new investors Hanaco Ventures and Hamilton Lane. Founded only three years ago, Puls pitches a service that can match consumers with the appropriate technician in a little over an hour, any day of the week. The company has built a network of 2,500 technicians in the top 50 cities in the United States, and will provide same-day installation and repair of over 200 products. Some things the company’s technicians can service include smartphon...