Google researchers announced Thursday that they discovered security vulnerabilities that enabled multiple hacked websites to “exploit iPhones en masse.”
Ian Beer of Google’s Project Zero wrote in a blog post that the company’s Threat Analysis Group (TAG) identified “a small collection of hacked websites” that were being used as “watering hole” sites to attack visitors using iPhones.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” Beer wrote. “We estimate that these sites receive thousands of visitors per week.”
The implant installed in the iPhones would run in the background without users’ knowledge and had access to all the files on infected phones, including messages sent on end-to-end encrypted apps such as WhatsApp, Telegram and iMessage.
Hackers were also be able to copy any photos or contacts from the infected phone, access emails and track the user’s GPS location.
Beer noted that while the implant could be stopped if a user rebooted their phone, if the user then visited the infected websites again, the implant would run again.
“Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device,” Beer wrote.
While Beer noted that this was a “failure case” for the attackers, there are likely other malicious campaigns against iPhones that have not yet been discovered.
Google’s TAG found 14 vulnerabilities, with exploit chains found for every iPhone version from iOS 10 through iOS 12. Beer noted this likely meant a malicious group had been trying to hack iPhones that visited these websites for at least two years.
Google said it reported the vulnerabilities to its rival Apple in February, with Apple subsequently releasing an “out-of-band” release of iOS 12.1.7 less than a week later to address the vulnerabilities. Apple also publicly disclosed the security vulnerabilities.
Apple did not immediately respond to request for comment on Friday.
Beer emphasized that enhanced security of iPhones and other mobile devices will never completely eliminate the risk of a cyberattack, noting that certain groups of users will be targeted regardless.
“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them,” Beer wrote.