Thousands of Apple devices have been under attack from hackers since 2016, and it was only uncovered when Google’s Project Zero Threat Analysis Group (TAG) discovered a small collection of hacked websites that we being used to hack devices running on operating systems iOS 10 to iOS 12.
Was your device compromised? Here’s more on the hack…
Safety in numbers
Apple’s smartphones have a reputation for being pretty secure from hackers. What you might not realise is this is down to numbers more than anything – because there are fewer iOS users than Android users, attacks on Apple devices are less profitable to hackers.
This is why hacks on Apple devices are usually usually focused on specific, more profitable groups, such as politicians or large companies. The strange thing about the Apple hack is that it appears to be completely indiscriminate, which isn’t the most profitable route for cyber criminals to go down.
How were the Apple devices compromised?
The exploit chains were active since iOS 10, which is available since September 2016. The attacks continued with the iOS 11 and iOS 12 updates, with the hack coming to an end when Apple released iOS 12.1.4 on February 7. The exploit chains, so-called implants, came over infected websites on the devices. Thousands of site visitors were infected each week over a period of at least two years, with the Safari app acting as the door. In fact, a simple reboot removes the implant, but users tend not to reboot frequently.
What information was accessed?
Once the implant was in the system, it hit the databases of messenger apps like WhatsApp , iMessage or Telegram. Even e-mail clients like Outlook were affected. The exploit chain accessed messages and photos from actually encrypted chats. Furthermore, passwords as well as W-LAN accesses from the Apple Keychain were read out and the position of the device was tracked by GPS. The identity of the perpetrators has not yet been announced – nor their motives. It is speculated that certain, larger target groups were in the crosshairs. After these were probably also selected the web pages, which were initially infected.