Since 2017, several malicious websites exploited a set of previously undisclosed software flaws, which were used to hack thousands of iPhones. Although it is unclear exactly how many devices were affected, many believe that this may be one of the largest attacks against iPhone users ever.
In a detailed blog post, security researchers at Google’s Project Zero discovered what they call an “indiscriminate” attack against unsuspecting victims.
“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” said Ian Beer, a security researcher at Project Zero.
Even more, the websites had been hacking iPhones over a “period of at least two years.”
TechCrunch reports that “the researchers found five distinct exploit chains involving 12 separate security flaws, including seven involving Safari, the in-built web browser on iPhones. The five separate attack chains allowed an attacker to gain “root” access to the device — the highest level of access and privilege on an iPhone. In doing so, an attacker could gain access to the device’s full range of features normally off-limits to the user. That means an attacker could quietly install malicious apps to spy on an iPhone owner without their knowledge or consent.”
The vulnerabilities affect devices running iOS 10 through iOS 12.
Although Apple is seen as the most secure device for end-users, Google’s revelation further proves that no device is one hundred percent secure.
Google’s security researcher discovered the attack earlier this year. Before making their findings public, they informed Apple, which fixed the vulnerabilities with the release of iOS update 12.1.4 in February.