Hackers stole iPhone passwords and messages for two years before anyone noticed

Side view shot of a man's hands using smart phone in interior, rear view of business man hands busy ...
Shutterstock
Impact

Do you remember the old "Mac vs. PC" commercial that claimed that Macs don't get viruses? Even though that has never been true (Apple products face fewer threats of viruses than its competitors but they aren't virus-proof), the idea has stuck with the company. Apple devices, usually rightfully, are considered more secure than the alternatives — which makes a recent discovery by security researchers a Google both troubling and uncomfortable. It seems that for at least the last two years, a number of websites hosted malware designed to attack iPhones, steal sensitive information and disappear without a trace.

According to the security researchers, a handful of websites — the names of which were not disclosed — hosted a series of exploit chains, or tools that work together to attack vulnerabilities discovered in iOS. The intricate attack chains targeted 14 known security flaws within Apple's mobile operating system, targeting things like vulnerable mechanisms across the platform, from the phone's web browser to the very core of the operating system. When carried out, the exploit chains would allow the attackers nearly complete control over the infected device.

The malware could steal passwords directly from a person's iOS Keychain, where all of their logins are stored. It could also record encrypted messages, stealing them from iMessage or third-party apps like WhatsApp and Signal that decrypt messages on the device. The malware could track a person's location, possibly even in real-time, and access their contacts, photos and just about any other sensitive bit of data that may be on the device. All of that information was collected and sent to a server operated by the attackers, to do with it whatever they may choose.

What is interesting about the attack is that it doesn't seem as though the attack was targeted at anyone in particular. The malware existed on sites that attracted thousands of visitors each week, according to Google. The malware deployed basically any time someone visited the site, it didn't attempt to discern certain information about a person's device to target specific individuals. In most cases, just visiting the site was enough to result in an iPhone becoming infected. The malware didn't present any of the telltale indicators that something is wrong, it simply operated in the background on a person's device, collecting every bit of information it could. Then, when the phone was reset, the malware would evaporate, leaving no signs of its operations.

Phil Barker / Future Publishing/Shutterstock

What is known about the attack — how it operates, what the malware can collect — is already deeply concerning. But what makes the situation all the more fraught is what isn't known yet. It's hard to say just how many people were affected by the attack. It could be as few as thousands of devices, it could be in the millions depending on how many unique visitors trafficked the infected sites. There's also no real indication as to who is behind the attack. Google didn't provide any leads as to who may have been responsible. Knowing the infected websites may provide some indicators, though it's not entirely clear if the site operators were aware of what was happening, either. The type of information the malware steals is consistent with that used by nation-state attackers, but the fact that the sites didn't seem to have a singular target in mind throws a wrench in that equation. It's more common for hacking groups to carry out these types of "watering hole" attacks, designed to infect as many people as possible, but the scale and severity of this one is more extensive than most.

The good news, if there is any here, is that if you have updated your iPhone any time in the last few months, you are probably safe from these attacks. Google first identified the hacked websites in January and reported the exploits to Apple on February 1. Apple pushed out a fix for the issue within a week, implementing security patches with the release of iOS 12.1.4. If your device is not currently running that version of the operating system, you are going to want to update immediately.

Go to the Settings app, open the General menu and go to the About section. This will tell you what software version you're running on your device. If it is iOS 12.1.3 or earlier, you're going to want to update. Go back to General and select Software Update. Any available update should appear automatically for you. Tap the Download and Install option and let it run its course so your device will be protected.

Hopefully in the future, these types of attacks are sniffed out well before they can infect an untold number of devices and operate without any sort of detection for more than two years. Apple recently extended its bug bounty program for iOS, which pays people for reporting noteworthy security flaws and bugs found within the operating system. Apple is now paying out up to $1.5 million for a single exploit depending on the severity and is even providing some security researchers with a custom-made iPhone that should help in their efforts to discover potential vulnerabilities that could be exploited. Those efforts should help to curb the possibility that someone like this attack goes unnoticed for as long as it did, though who knows what else is out there in the wild, running undetected for the time being?