Google discovers major iPhone security flaw that enabled hackers to put ‘monitoring implants’ in iPhones for years
Google announced today it has discovered flaws in iPhone that enabled hackers to put ‘monitoring implants’ in iPhones for years. The flaw, which was discovered by Google’s Project Zero Threat Analysis Group (TAG), revealed 14 security flaws in iPhones that existed for two years. According to Google, visiting hacked sites was all that is needed for server to gather users’ images and contacts. A user only had to visit a website to potentially give hackers access to messages, photos, contacts and location information, Google said. Apple confirmed Google findings and said it fixed the flaws in a software update back in February.
As part of the security research, Google’s Threat Analysis Group (TAG) discovered in early 2019 a small collection of hacked websites. According to the report, “the hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day.”
-
detailed write-ups of all five privilege escalation exploit chains;
-
a teardown of the implant used, including a demo of the implant running on my own devices, talking to a reverse-engineered command and control server and demonstrating the capabilities of the implant to steal private data like iMessages, photos and GPS location in real-time, and
-
analysis by fellow team member Samuel Groß on the browser exploits used as initial entry points.