Why does Google keep finding critical iPhone flaws?
Bug-hunting Project Zero team says latest software exploit exposed users’ ‘deepest secrets’
Security researchers at Google have discovered a major security flaw in Apple’s iPhone range that resulted in sustained indiscriminate attacks over a period of at least two years.
Researchers at the search giant’s Project Zero team - a division that hunts for software bugs to prevent cybercriminals from exploiting them - discovered a hacking operation in January that targetted “thousands of users a week”, The Guardian reports.
The attackers used a small collection of hacked websites to deploy malware onto the iPhones of visitors. Once a device had been hacked, the victim’s “deepest secrets were exposed”, including their location, password keychain and chat histories, says the newspaper.
Subscribe to The Week
Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.
Sign up for The Week's Free Newsletters
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” said Ian Beer, a cybersecurity expert at Project Zero, in a blogpost.
Google says it reported the security issues to Apple on 1 February. Apple then released an operating system update which fixed the flaws on 7 February.
All the same, this is by no means the first time that Google has discovered an iPhones flaw.
Last month, the Project Zero team revealed six fundamental flaws related to the Messages app on iOS 12. The issues, which have now been fixed, exposed a user’s data if they were sent a text message containing a certain piece of bugged code.
What happened this time?
According to Vice, some of the newly discovered attacks made use of so-called zero day exploits. These take advantage of security flaws of which the device maker, in this case Apple, is unaware and therefore has “zero days” to fix.
Project Zero discovered “five distinct iPhone exploit chains” based on 14 different vulnerabilities affecting devices running iOS 10, 11 and 12 operating systems, the news site says.
Users were exposed to an attack by simply visiting one of the bugged websites.
When the user’s device was compromised, hackers would implant a piece of malware that could “access an enormous amount of data”, the BBC reports. Information was then sent to back to an external server “every 60 seconds”.
The “implant” could also “scoop up data” from non-Apple apps if they were open at the time of the attack, the broadcaster notes. So if a user had Instagram, WhatsApp or Telegram open, for example, their data may have been exposed.
The attacks were not “persistent”, meaning that users would no longer vulnerable to being hacked if they turned off their device, Vice says.
But Beer warns that “the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device”.
Why does Google keep finding flaws in Apple’s iPhones?
Google’s Project Zero, a team of “white-hat hackers”, is tasked with finding security vulnerabilities in all manner of hi-tech devices, “no matter who it is produced by”, The Guardian says.
As well as Apple’s products, the division has also poked holes in Microsoft’s Windows operating system and Google’s own mobile operating system Android.
However, while the division’s goal is to alert tech firms across the board about security vulnerabilities in order to protect users from cyberattacks, Project Zero has come under fire for its “hard-line” approach.
Firms have 90 days to fix the problem, after which the division will publish details of the security flaw “whether or not the bug has been fixed in that time”, the newspaper reports.
Sign up for Today's Best Articles in your inbox
A free daily email with the biggest news stories of the day – and the best features from TheWeek.com
-
DOJ seeks breakup of Google, Chrome
Speed Read The Justice Department aims to force Google to sell off Chrome and make other changes to rectify its illegal search monopoly
By Peter Weber, The Week US Published
-
Google Maps gets an AI upgrade to compete with Apple
Under the Radar The Google-owned Waze, a navigation app, will be getting similar upgrades
By Justin Klawans, The Week US Published
-
How will the introduction of AI change Apple's iPhone?
Today's Big Question 'Apple Intelligence' is set to be introduced on the iPhone 16 as part of iOS 18
By Justin Klawans, The Week US Published
-
FDA OKs Apple AirPods as OTC hearing aids
Speed read The approved software will turn Apple's AirPods Pro 2 headphones into over-the-counter hearing aids
By Peter Weber, The Week US Published
-
Will the Google antitrust ruling shake up the internet?
Today's Big Question And what does that mean for users?
By Joel Mathis, The Week US Published
-
Apple unveils AI integration, ChatGPT partnership
Speed Read AI capabilities will be added to a bulked-up Siri and other apps, in partnership with OpenAI's ChatGPT
By Peter Weber, The Week US Published
-
Apple Intelligence: iPhone maker set to overhaul the AI experience
In the Spotlight A 'top-to-bottom makeover of the iPhone' sees the tech giant try to win the consumer AI game
By Harriet Marsden, The Week UK Published
-
Justice Department bites Apple with iPhone suit
Speed Read The lawsuit alleges that the tech company monopolized the smartphone industry
By Rafi Schwartz, The Week US Published