Google's hacker department Project Zero wants to find and document vulnerabilities before others do and exploit them. But now the elite hackers have uncovered a real attack that may be the hitherto most massive hack of iPhones.
Earlier this year, Project Zero's blog post said Google's Threat Analysis Group (TAG) discovered a "small collection of hacked sites" that had spread spyware on iPhones for more than two years, estimated at thousands of times a week. To be infected, it was enough if the victims called one of the manipulated websites with their Apple phone. You were not protected even if you had the current version of iOS 10, 11 or 12 installed.
Five different, each complete and unique exploit chains were used over time on the websites, writes Ian Beer from Project Zero. In principle, this means: Five times super-GAU for iPhone owners - and Apple.
These attack techniques would have been worth millions
A chain of exploits - that is, malware that exploits a vulnerability - helps an attacker bypass the security measures of the affected device after the first infection. An example would be the outbreak of a so-called sandbox, which separates different apps and areas from each other and should actually prevent the spread of malware.
Even a single exploit can be worth millions of dollars if it is exclusive and unknown to the affected hardware or software vendor. Zero-day exploit means something like this, because the manufacturer has zero days to find a defense method in an attack. Exploit traders sell them to law enforcement and intelligence agencies, but security researchers can also report them to the manufacturers and get a reward.
Exploits against iPhones are relatively rare, especially if they work against the current version of the operating system, so the victim no chance to fight back. Entire exploit chains are therefore valuable. The five chains described by Project Zero with a total of 14 vulnerabilities, some of which were Zero-Days at the time of their deployment, would certainly have been worth a total of eight figures to some traders and buyers.
The unidentifiable spyware that was installed on the affected iPhones was able to gain access to the messenger databases of, for example, WhatsApp, Telegram and Apple's iMessages, ie to read complete chats. She was able to send data from any app to the attacker's server, such as emails from the Gmail app, contact lists, and photos. She was able to transmit the GPS-based location of the victim in real time. And she was able to read the so-called keychain, which stores many passwords, access tokens, and cryptographic certificates.
However, the implant did not last long on the iPhones. After a reboot it was deleted - until the next visit to one of the manipulated websites. For the capture of access data and files but also enough for a single infection.
Even Apple products are not unhackable
Given these capabilities, the question arises as to whether the perpetrators in fact indiscriminately attack any iPhone user without knowing whether it was worthwhile goals. If they were only interested in money, they could have looked themselves up in foreign accounts and chats or resold the receipts. They could have blackmailed their victims with the captured data and photos. But using such powerful exploits at least would be pretty unusual.
Theoretically, the years-long campaign could have been an attempt at political, military or industrial espionage. Firstly, it is unclear whether only the five websites discovered by Google distributed the malware, or even other pages. Second, Project Zero does not reveal which sites it was. If they have addressed them to a specific audience, for example, to soldiers, that would speak rather for rather broadly scattered, but content-wise targeted campaign.
So far, there are only hints from Google, who could have been the victims. The blog post states: "To become the target (of such a campaign - editor's note), it could be enough to just be born in a certain region or to be part of a certain ethnic group". Somewhat below is the phrase "the ability to target entire populations and monitor them in real time". On the other hand, Project Zero lists in the section about the details of the implant those apps that are always read out. This list features a striking number of services that are popular in China. Experts therefore speculate on Twitter that the campaign was directed against certain ethnic minorities in China.
Project Zero informed Apple of its discovery on February 1, and on February 7, the company released the update to iOS 12.1.4 to disable the exploit chain that was active at the time. Project Zero has just released the details because the analysis of the attacks was very time-consuming.
For Apple and its customers, the discovery of Project Zero's second clear message within a short time is that even the supposedly safe products from Cupertino are anything but invulnerable.