Why does Google keep finding critical iPhone flaws?

Bug-hunting Project Zero team says latest software exploit exposed users’ ‘deepest secrets’

iOS 12
Apple’s iPhone XS running iOS 12
(Image credit: Justin Sullivan/Getty Images)

Security researchers at Google have discovered a major security flaw in Apple’s iPhone range that resulted in sustained indiscriminate attacks over a period of at least two years.

Researchers at the search giant’s Project Zero team - a division that hunts for software bugs to prevent cybercriminals from exploiting them - discovered a hacking operation in January that targetted “thousands of users a week”, The Guardian reports.

The attackers used a small collection of hacked websites to deploy malware onto the iPhones of visitors. Once a device had been hacked, the victim’s “deepest secrets were exposed”, including their location, password keychain and chat histories, says the newspaper.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE
https://cdn.mos.cms.futurecdn.net/flexiimages/jacafc5zvs1692883516.jpg

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” said Ian Beer, a cybersecurity expert at Project Zero, in a blogpost.

Google says it reported the security issues to Apple on 1 February. Apple then released an operating system update which fixed the flaws on 7 February.

All the same, this is by no means the first time that Google has discovered an iPhones flaw.

Last month, the Project Zero team revealed six fundamental flaws related to the Messages app on iOS 12. The issues, which have now been fixed, exposed a user’s data if they were sent a text message containing a certain piece of bugged code.

What happened this time?

According to Vice, some of the newly discovered attacks made use of so-called zero day exploits. These take advantage of security flaws of which the device maker, in this case Apple, is unaware and therefore has “zero days” to fix.

Project Zero discovered “five distinct iPhone exploit chains” based on 14 different vulnerabilities affecting devices running iOS 10, 11 and 12 operating systems, the news site says.

Users were exposed to an attack by simply visiting one of the bugged websites.

When the user’s device was compromised, hackers would implant a piece of malware that could “access an enormous amount of data”, the BBC reports. Information was then sent to back to an external server “every 60 seconds”.

The “implant” could also “scoop up data” from non-Apple apps if they were open at the time of the attack, the broadcaster notes. So if a user had Instagram, WhatsApp or Telegram open, for example, their data may have been exposed.

The attacks were not “persistent”, meaning that users would no longer vulnerable to being hacked if they turned off their device, Vice says.

But Beer warns that “the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device”.

Why does Google keep finding flaws in Apple’s iPhones?

Google’s Project Zero, a team of “white-hat hackers”, is tasked with finding security vulnerabilities in all manner of hi-tech devices, “no matter who it is produced by”, The Guardian says.

As well as Apple’s products, the division has also poked holes in Microsoft’s Windows operating system and Google’s own mobile operating system Android.

However, while the division’s goal is to alert tech firms across the board about security vulnerabilities in order to protect users from cyberattacks, Project Zero has come under fire for its “hard-line” approach.

Firms have 90 days to fix the problem, after which the division will publish details of the security flaw “whether or not the bug has been fixed in that time”, the newspaper reports.

Continue reading for free

We hope you're enjoying The Week's refreshingly open-minded journalism.

Subscribed to The Week? Register your account with the same email as your subscription.