Google Security Researchers Detail Major Attack Against iPhone Users

Posted on August 30, 2019 by
Google Security Researchers Detail Major Attack Against iPhone Users

Thousands of iPhone users may have had their devices hacked by malicious code found in a handful of websites, according to security researchers with Google.

The security vulnerability has been revealed through a new blog post from Google’s Project Zero team member Ian Beer. The post describes a small group of websites that were likely visited thousands of times a week; when users visited the sites on iPhone browsers, malicious code on the sites would seek to gain access to their iPhone devices, and, if successful, install code that would enable the theft of files and the monitoring of location data.

Users could eliminate the implanted code by rebooting their iPhones. But arguably the most serious security threat of the attack is that the malware was designed to try to access the iPhone’s Keychain system, which can contain sensitive information including passwords to various online accounts as well as databases of encrypted messaging apps like WhatsApp and Apple’s iMessage. In cases where the Keychain was compromised, hackers could theoretically still have this sensitive data even after users rebooted their iPhones.

Google’s researchers warned Apple about the security vulnerability in February, and Apple addressed it in an iPhone software update shortly thereafter. But with Google’s Beer noting that the security vulnerabilities affected iOS versions 10 through 12, it’s possible that related hack attacks were being undertaken over the course of two years.

In reporting on the Project Zero post, Motherboard asserts that this security issue may represent one of the largest attacks against iPhone users in the product line’s history.

For Apple, the security vulnerability’s revelation is especially embarrassing given the company’s emphasis on strong security and privacy protections for its devices’ users. And it both highlights and undercuts the value of the kind of sophisticated biometric security measures that Apple has implemented for user authentication: On the one hand, a 3D facial recognition system like the iPhone’s Face ID offers no protection against malware designed to quietly infect the device while it’s in use; yet at the same time, Face ID and other forms of biometric authentication can help to keep digital accounts secure even if the passwords in a user’s Keychain have been compromised.

For his part, Google’s Beer is no Pollyanna on iPhone security, asserting in his post that “for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”

Sources: Project Zero, Motherboard, The Verge

Tags: , , , , , , , , , , , , ,
Related Posts
Visa Token Service to Reach 12 European Markets by End of Year Visa Token Service to Reach 12 European Markets by End of Year
Windows Hello Comes to Two New VAIO Laptops Windows Hello Comes to Two New VAIO Laptops
MWC 2015: EyeVerify to Fully Integrate Tech into AirWatch Platform MWC 2015: EyeVerify to Fully Integrate Tech into AirWatch Platform
BRIEF: What’s Next for Fingerprint Sensors BRIEF: What’s Next for Fingerprint Sensors
New Report Illustrates Huge Boom in Biometric Smartphones New Report Illustrates Huge Boom in Biometric Smartphones
Upgraded Authenticator for Android Features Wearable Compatibility Upgraded Authenticator for Android Features Wearable Compatibility
New GSMA Report Details Pakistan’s Digital Transformation Strategy New GSMA Report Details Pakistan’s Digital Transformation Strategy
Precise Biometrics Tech Draws Repeat Customer Precise Biometrics Tech Draws Repeat Customer