An in-depth look at five iOS exploit chains that were used in hacked websites for carrying out watering hole attacks against devices running iOS 10 through 12
In the earlier posts we examined … Ian Beer / Project Zero : In-the-wild iOS Exploit Chain 1 Patrick Howell O'Neill / MIT Technology Review : Websites have been quietly hacking iPhones for years, says Google Taylor Telford / Washington Post : Google researchers uncover 2-year iPhone hack tied to malicious websites Dell Cameron / Gizmodo : Google Hackers Reveal Websites Hacked Thousands of iPhone Users Silently for Years Paul Wagenseil / Tom's Guide : Mass iPhone Hack Is Huge Wake-Up Call for Apple Thomas Brewster / Forbes : WhatsApp Security Destroyed By Just Visiting A Website—Why The Latest iPhone Hack Is Terrifying Babu Mohan / TechnoBuffalo : Google uncovers multiple malicious sites that hacked iPhones for years Conor Cawley / Tech.co : Google Researchers Find Massive Security Flaw in iPhones Richi Jennings / Security Boulevard : Apple is Bad at Software, says Google James Rogers / Fox News : iPhone hack attack: Google says hackers placed ‘monitoring implants’ in iPhones Shaun Nichols / The Register : Google security crew sheds light on long-running super-stealthy iOS spyware operation Sergiu Gatlan / BleepingComputer : Google Warns iPhone Users of Data-Stealing Malware Attacks Chris Nuttall / Financial Times : Google highlights iPhone security flaw Christopher Baugh / iPhone in Canada Blog : Google Security Researchers Uncover ‘Sustained’ Hack on Apple iOS Devices Todd Haselton / CNBC : Google discovers major iPhone security flaw that affected thousands Sudais / HackRead : Google hackers found malicious websites hacking iPhones Thomas Reed / Malwarebytes Labs : Unprecedented new iPhone malware discovered CBS San Francisco : State-Sponsored Hackers Infected iPhones With Spyware; ‘Most Serious’ Breach Of Its Kind Janko Roettgers / Variety : Massive iPhone Hack Compromised Thousands of Phones Maria Deutscher / SiliconANGLE : Google: Malicious sites hacked iPhones for years through unknown exploits Bevin Fletcher / FierceWireless : Hackers indiscriminately installed ‘monitoring implants’ in iPhones, Google says Kelly Sheridan / Dark Reading : Google Uncovers Massive iPhone Attack Campaign Jack Purcher / Patently Apple : Google's Project Zero Team Finds an iOS Exploit Allowing Hackers to tap into conversations through iMessage & more Allison Ingersoll / Bloomberg : Google's Elite Hacking Team Reveals Untimely Bug in iPhone Brenden Gallagher / The Daily Dot : Thousands of iPhones attacked just by visiting hacked websites Tara Seals / Threatpost : iPhone Zero-Days Anchored Watering-Hole Attacks Joe Rice-Jones / KnowTechie : Google says a bunch of malicious websites have been secretly hacking iPhones for years Firstpost Tech : Malicious websites have been quietly hacking iPhones for the past couple of years Josephine Wolff / Slate : What You Need to Know About the iPhone Malware News Joe Uchill / Axios : Report: Websites hacked iPhones for years Anton D. Nagy / Pocketnow : Google says iPhones were vulnerable to hacks from websites for years Ionut Arghire / SecurityWeek : iOS Vulnerabilities Allowed Attackers to Remotely Hack iPhones for Years Charlotte Henry / The Mac Observer : Latest iOS Hack is a Game Changer Chris Davies / SlashGear : iPhone exploit active “at least two years” detailed by Google Maggie Miller / The Hill : Google uncovers evidence of large iPhone hacking attempt Rob Thubron / TechSpot : Google says hacked websites were attacking iPhones for years Dave Mark / The Loop : Google lays out iOS malware exploits found in the wild, but already patched by Apple back in February Jonny Evans / Apple Must : How to protect yourself against the latest big iPhone security scare (Updated) David Pierini / Cult of Mac : Google says iPhone security holes went unnoticed for 2 years Sami Khan / International Business Times : Hackers used malicious websites to hack iPhones: Passwords, photos, chats, live location exposed PYMNTS.com : Hacking Attack Could Have Compromised Hundreds Of Thousands Of iPhones Jeff Stone / CyberScoop : Google's Project Zero details ‘indiscriminate’ hacking campaign against thousands of iPhones Mike Murphy / Quartz : Update your iPhone's operating system as soon as possible Jay Bonggolto / Neowin : Google discovered ‘sustained attacks’ over at least two years against iPhone users Abdullah / Gizchina : Google has discovered malicious websites targeting iPhone users Nick Boykin / WTKR-TV : Google finds evidence of attempted mass iPhone hack Chris Merriman / Inquirer : Google's Project Zero team uncovers ‘sustained’ hack on Apple iOS devices Stephen E. Arnold / Beyond Search : MAGA: Making Android Great Again? Michael Grothaus / Fast Company : Google discovered websites that could hack your iPhone just by visiting them Scott Bicheno / Telecoms.com : Google exposes massive iPhone hacking operation Brandy Betz / Seeking Alpha : Google researchers found mass iPhone hack attempt Isobel Asher Hamilton / Business Insider : Google researchers found a bunch of malicious sites that quietly hacked iPhones for years Dan Grabham / Pocket-lint : Google researchers found an iOS security hole was left open for years Alfred Ng / CNET : Google says iPhone security flaws let websites hack away for years Mark Jansen / Digital Trends : Google says hackers have been able to access your iPhone data for years Mark Wyciślik-Wilson / BetaNews : Google security researcher warns that hackers are using malicious websites to exploit iOS flaws and monitor iPhone users Mariella Moon / Engadget : Google uncovers exploit-laden websites that stole data from iPhones Catalin Cimpanu / ZDNet : Google finds malicious sites pushing iOS exploits for years Silviu Stahie / Softpedia News : Google Finds Massive iPhone Vulnerability that Was Exploited for Years Ed Targett / Computer Business Review : Thousands of Fully Patched iPhones Exploited for Years, says Google - Who Is the Sophisticated Mystery Attacker? Swati Khandelwal / The Hacker News : Google Uncovers How Just Visiting Some Sites Were Secretly Hacking iPhones For Years Ravie Lakshmanan / The Next Web : Google researchers reveal data-stealing, web-based iPhone exploit that was active for years Rajesh Pandey / iPhone Hacks : Google's Project Zero Team Details Malicious Websites That Hacked iPhones for Years Tweets: @perito_inf : Implant Teardown The implant has access to all the database files (on the victim's phone) used by popular end-to-end encryption apps like Whatsapp, Telegram and iMessage. https://googleprojectzero.blogspot.com/ ... Greg Greene / @ggreeneva : This scoop — that the massive hack exploiting multiple zero-day iOS vulnerabilities was likely a state-sponsored Chinese surveillance program — is utterly believable. https://twitter.com/... Steven Bellovin / @stevebellovin : Per https://arstechnica.com/..., the attackers were interested in activity on Tencent. To me, that strongly suggests Chinese internal security agencies are behind the malware. Also, the sites had “thousands of visitors per week”. These days, that's not very many. 1/2 Malte Ubl / @cramforce : If Apple allowed browser engine diversity on iOS, then fewer than 100% of iOS users would have been vulnerable over this 2 year period https://www.washingtonpost.com/ ... Eric Geller / @ericgeller : You were very likely not hacked by this. The infected websites received very little traffic, Google said. The news is mostly significant because of how rare iOS zero-days are and because this campaign was indiscriminate, not targeted, raising questions about who did it and why. Alex Stamos / @alexstamos : Many things to learn from this incident, but one is the safety cost of anti-competitive iOS App Store policies. Chrome/Brave/Firefox are required to use the default WebKit/JS. If Apple isn't going to put in the work necessary to protect users then they should let others do so. https://twitter.com/... https://twitter.com/... Lukasz Olejnik / @lukolejnik : The implant was used to steal location data and files like databases of WhatsApp, Telegram, iMessage. So all the user messages, or emails. Copies of contacts, photos, https://googleprojectzero.blogspot.com/ ... https://twitter.com/... Alex Stamos / @alexstamos : It's darkly ironic that Apple is the company that is demonstrating the end point of late-90's fears about Microsoft. ✅Rent seeking via platform control. ✅Content moderation on behalf of autocracies ✅Risk of software monoculture[1] [1] http://blough.ece.gatech.edu/ ... Rat King / @mikeisaac : can someone tell me the rationale of google disclosing all this info but not identifying the sites? is it in fear of drawing people to them? https://www.wired.com/... Jake Williams / @malwarejake : This, plus a hardcoded HTTP IP address is amateur hour. Contrast that with multiple exploit chains and sandbox escapes and it sure sounds like a group with tons of money to buy exploits and little operational experience. So many thoughts right now... https://googleprojectzero.blogspot.com/ ... https://twitter.com/... Stephen Shankland / @stshank : A dig from a Googler about Apple's ostensibly security-minded (in part) reason for allowing only its own browser engine on iOS & iPadOS. (Chrome, Firefox, etc. are available on iOS, but unlike on MacOS, Windows, Android, are required to use Apple's WebKit browser engine.) https://twitter.com/... Rich Mogull / @rmogull : I'm trying to decide if learning of indiscriminate iOS zero day attacks in the wild is just incredibly concerning, or the biggest iOS security news since the launch of the platform: https://googleprojectzero.blogspot.com/ ... Martijn Grooten / @martijn_grooten : There's a lot to say about the iPhone watering hole attacks, but if you work with vulnerable groups in China this, and the fact that P0 talked about “entire populations”, means should you take extra notice of what happened https://googleprojectzero.blogspot.com/ ... https://googleprojectzero.blogspot.com/ ... https://twitter.com/... Alex Stamos / @alexstamos : Remember how everybody lost their mind over Microsoft Palladium? At the time, “huge corporation will use hardware-rooted DRM to censor content choices by end users” seemed the worst-case scenario. That is literally the impact of Apple's DRM in China. https://epic.org/... https://twitter.com/... Rene Ritchie / @reneritchie : Terrific drill-down on a web-based iOS exploit chain. But, I can't find any info on what kind of sites were being used? If they were a tiny cluster in a remote region vs. major multinational, it's a very different threat level. https://googleprojectzero.blogspot.com/ ... Alex Hern / @alexhern : As this has filtered from the security community to the mainstream, something's been lost in translation, so I want to be explicit: this is not an aggressive move by Google, and it's not part of the wider conflict between the two companies. https://www.theguardian.com/ ... Eric Geller / @ericgeller : HUGE mobile security news: Google found malicious websites indiscriminately hacking iPhones using at least 5 separate exploit chains w/ *14* individual 0days. https://googleprojectzero.blogspot.com/ ... This is like finding a live colossal squid at the beach. Just *one* iOS 0day goes for >$1m. https://twitter.com/... Jonathan Zittrain / @zittrain : Apple iOS has been considered the most secure smartphone OS. Disconcerting that flaws could be strung together not only to own the phone, but to do it in bulk for all users visiting a compromised/ing web site. https://twitter.com/... https://twitter.com/... Kenneth Geers / @kennethgeers : Strategic iOS Attack —> “rare and intricate chains of code exploited a total of 14 security flaws” https://www.wired.com/... Arrigo Triulzi / @cynicalsecurity : All I am going to say about the iOS exploit chains write up by Project Zero is: “Bloody Hell!”. In the most profound British understatement tone I can muster. https://googleprojectzero.blogspot.com/ ... Savic Ali / @savicali : Privacy is an illusion in digital world. https://twitter.com/... Costin Raiu / @craiu : So, people with access to big chunks of network traffic should probably scout for HTTP POSTs to “/list/suc?name=”. https://googleprojectzero.blogspot.com/ ... @malwaretechblog : This is wild. A group were using hacked websites to indiscriminately exploit iPhones using zero days exploits, and somehow went unnoticed for years. https://googleprojectzero.blogspot.com/ ... Jason Koebler / @jason_koebler : this is crazy crazy crazy crazy crazy. Upends everything I thought I knew about iPhone security. https://www.vice.com/... Daniel Sinclair / @_danielsinclair : Wow. This Project Zero discovery is insane. Some unnamed entity (obviously a government) had 7 Safari 0-days that have been quietly compromising iPhones for years — all the way back to iOS 10. Anyone who visited these unnamed sites were sunk. https://googleprojectzero.blogspot.com/ ... Alex Stamos / @alexstamos : This is a huge find by Google's team. Attribution for these sites is going to be critical to understanding what impact they might have had. https://twitter.com/... @da_667 : the iOS 0-day/implant that google TAG found just really goes to show you why there is such a big market for iOS 0-days. With the right exposure, its intelligence goldmine that reaps massive dividends. @motherboard : Thousands of iPhones per week have been indiscriminately hacked for YEARS and no one knew: https://www.vice.com/... Patrick Howell O'Neill / @howelloneill : Google's Threat Analysis Group found hacked sites being used in watering hole attacks using five distinct iPhone 0-day exploit chains. The websites had thousands of visitors per week. Project Zero's analysis starts here: https://googleprojectzero.blogspot.com/ ...