iOS hacking risk for two years due to 14 0-day vulnerabilities

The Project Zero security team from Google has discovered a high-profile malware campaign that has been targeting iPhone users for at least two years: a small group of websites has been exploited to compromise Apple smartphones with iOS versions from 10 to 12, appropriately using a set of 14 different vulnerabilities never revealed, or zero-day flaws.

The campaign should now be terminated although Project Zero, which specializes precisely in zero-day leaks, warns that there may be other flaws and other sites not yet identified and capable of leading to results of the same gravity.

Apple has solved the flaws with the iOS 12.1.4 update released in February after the team released the vulnerabilities, giving it a week before disclosing them. Project Zero normally grants 90 days from the moment it communicates its findings to the person concerned: the very close deadline imposed on Apple is a symptom of the severity of the vulnerabilities discovered.

” There was no target distinction: simply visiting one of the sites was sufficient to allow the exploit server to attack the device, with the installation of a monitoring system if it was successful. We estimate that these sites receive thousands of visitors a week, ” said Project Zero’s Ian Beer.

The attacks, part of the ” watering hole ” category, allow an attacker to compromise the end user device by infecting particularly frequented websites, with the aim of gaining access to the victim’s device and installing malware or malvertising on it.

The 14 vulnerabilities, present in Safari and in the kernel (plus two separate instances of sandbox-escaping, which allow the execution of arbitrary code outside the boundaries of an application) allowed to implement up to five different attacks, capable of in turn to guarantee root access to the attacker and thus granting full permissions to install malware and access resources that cannot otherwise be reached, such as photographs, messages, contacts and geographic coordinates, all with communication to a server command-and-control.

And there is, unfortunately, more: the attacks and the following malware installation had the possibility to load on the server command-and-control also the keychain of the device and the data containers of various third-party apps like Whatsapp, Telegram, Skype, Facebook, Gmail and Viber, for example.

The data containers contain all the information that passes from the app: messages, documents, photographs and so on. In this case not even end-to-end encryption can do anything: it allows to secure data from man-in-the-middle attacks when they are in transit, but it is of no use when the attack and compromise take place on the device and the attacker can get hold of plain text messages sent and received (and already decrypted).

We have already mentioned above that Apple released the fix last February with the iOS 12.1.4 update, and the other good news is that the malware that can be loaded has no persistence, which means that after a reboot Your phone is no longer infected, unless you visit a compromised site again and have your phone out of date. Unfortunately, it is impossible to know which websites are compromised.

All the technical details of the vulnerabilities and attacks can be found on the Project Zero blog. Those who have not yet updated iOS should do so as soon as possible through the usual software update mechanism.