TECHNOLOGY

Two-year operation indiscriminately infects iPhones with spyware

Aug 30, 2019, 6:27 PM | Updated: 6:49 pm
AP Photo/Marcio Jose Sanchez, File...
AP Photo/Marcio Jose Sanchez, File

(AP) — Researchers say suspected nation-state hackers infected Apple iPhones with spyware for over two years. On Friday, security experts called the hacking an alarming security failure for a company whose calling card is privacy.

Just visiting one of a small number of tainted websites could infect an iPhone. The implant was capable of sending information from the smartphone to the cybercriminals behind the operation. The personal information included text messages, email, photos, and real-time location data.

“This is definitely the most serious iPhone hacking incident that’s ever been brought to public attention, both because of the indiscriminate targeting and the amount of data compromised by the implant,” said former U.S. government hacker Jake Williams, the president of Rendition Security.

Apple quietly patched the problem

Announced late Thursday by Google researchers, the last of the vulnerabilities were quietly fixed by Apple by February but only after thousands of iPhone users were believed exposed over more than two years.

The researchers did not identify the websites used to seed the spyware or their location. They also did not say who was behind the cyber espionage or what population was targeted, but experts said the operation had the hallmarks of a nation-state effort.

Williams said the spyware implant wasn’t written to transmit stolen data securely, indicating the hackers were not concerned about getting caught. That suggests an authoritarian state was behind it. He speculated that it was likely used to target political dissidents.

Affected apps include text messages, Gmail

Sensitive data accessed by the spyware included WhatsApp, iMessage and Telegram text messages, Gmail, photos, contacts and real-time location — essentially all the databases on the victim’s phone. While the messaging applications may encrypt data in transit, it is readable at rest on iPhones.

Google researcher Ian Beer said in a blog posted late Thursday that the discovery should dispel any notion that it costs a million dollars to successfully hack an iPhone. That’s a reference to the case of a United Arab Emirates dissident whose iPhone was infected in 2016 with so-called zero-day exploits, which have been known to fetch such high prices.

“Zero day” refers to the fact that such exploits are unknown to the developers of the affected software, and thus they have had no time to develop patches to fix it.
The discovery, involving 14 such vulnerabilities, was made by Google researchers at Project Zero, which hunts the security flaws in software and microprocessor firmware, independent of their manufacturer, that criminals, state-sponsored hackers and intelligence agencies use.

“This should serve as a wake-up call to folks,” said Will Strafach, a mobile security expert with Sudo Security. “Anyone on any platform could potentially get infected with malware.”

Popular, busy apps targeted

Beer said his team estimated that the infected websites used in the “indiscriminate watering hole attacks” receive thousands of visitors per week. He said the team collected five separate chains of exploits covering Apple’s iOS system as far back as version 10, released in 2016.

Apple did not respond to requests for comment on why it did not detect the vulnerabilities on its own and if it can assure users that such a general attack could not happen again. Privacy assurance is central to the Apple brand.

Neither Google nor Beer responded to questions about the attackers or the targets, though Beer provided a hint in his blog post: “To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group.”

Game-changing attack

Security manager Matt Lourens at Check Point Software Technologies called the development an alarming game-changer. He said that while iPhone owners previously compromised by zero days were high-value targets, a more widespread seeding of spyware at a lower cost per infection has now been shown possible.

“This should absolutely reshape the way corporations view the use of mobile devices for corporate applications, and the security risk it introduces to the individual and/or organization,” Lourens said in an email.

In his blog post, the Google researcher Beer warned that absolute digital security can’t be guaranteed.

Smartphone users must ultimately “be conscious of the fact that mass exploitation still exists and behave accordingly;” he wrote, “treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”

___
AP Cybersecurity Writer Frank Bajak on Twitter: https://twitter.com/fbajak

 

Today’s Top Stories

Technology

(Photo courtesy of Salt_Verse on Twitter)...
Rachel Metz, CNN Business

This guy is using AI to make movies — and you can help decide what happens next

"Salt" resembles many science-fiction films from the '70s and early '80s. The way it was created points to what could be a new frontier for making movies.
16 hours ago
Google googled phrases...
Aubri Wuthrich

A Google analysis shows which words are the most confusing to Americans

Americans use Google to define terms that are confusing for them, this study shows which terms are most commonly searched.
3 days ago
DWR law enforcement truck pictured. The Utah DWR will use drones to help with wildlife management...
Britt Johnson and Elizabeth Weiler

Utah Division of Wildlife Resources launches new drone law enforcement team

Utah has created its new drone law enforcement team, designed to get a better look at wildlife crimes like poaching and trespassing. 
4 days ago
emoticon history...
Jennifer Korn, CNN Business

The 40-year evolution from :-) to 😂, what emojis offer that words can’t

Today there are more than 3,600 emojis available for users to express their every emotion and effectively give our words a deeper meaning.
6 days ago
Peiter Zatko, known as Mudge in the computer hacking community, testifies before the Senate Judicia...
Catherine Thorbecke, CNN Business

Why deleting something from the internet is ‘almost impossible’

Most people may live out their digital lives with the assumption they can delete their posts, messages and personal data from services whenever they choose. A tech hearing this week threw that core assumption into question.
8 days ago
Utah Lt. Gov. Deidre Henderson spoke Friday at a celebration in Blanding of the electrification of ...
Mark Jones

Leaders celebrate Westwater electrification, eyeing bright future.

Officials from around the state on Friday celebrated the transformation of the Westwater electrification.
9 days ago

Sponsored Articles

a worker with a drill in an orange helmet installs a door in the house...
Price's Guaranteed Doors

Home improvement tip: Increase the value of your home by weatherproofing doors

Make sure your home is comfortable before the winter! Seasonal maintenance keeps your home up to date. Read our tips on weatherproofing doors.
Curb Appeal...
Price's Guaranteed Doors

How to have the best of both worlds for your house | Home security and curb appeal

Protect your home and improve its curb appeal with the latest security solutions like beautiful garage doors and increased security systems.
A paper reading IRS, internal revenue service is pictured...
Jordan Wilcox

The best strategies for dealing with IRS tax harassment | You have options!

Learn how to deal with IRS tax harassment. This guide will teach you how to stop IRS phone calls and letters, and how to handle an IRS audit.
spend a day at Bear Lake...
Bear Lake Convention and Visitors Bureau

You’ll love spending the day at Bear Lake | How to spend a day at Bear Lake

Bear Lake is a place that needs to be experienced. Spend a day at Bear Lake.
Prescription opioids can be disposed of during National Prescription Take Back Day...
Know Your Script

Prescription opioid misuse | How to protect your family from the opioid epidemic

Studies have shown that prescription opioid misuse has increased since COVID-19. So what do you need to know about these opioids?
national heart month...
Intermountain Healthcare

National Heart Month: 5 Lifestyle Changes to Make Today to Keep You Heart Healthy

Heart disease is the leading cause of death for both men and women. One person dies every 36 seconds in the United States from cardiovascular disease
Two-year operation indiscriminately infects iPhones with spyware