A two-year attempt to hack large numbers of iPhones might have provided adversaries with access to user contacts, photos, and location data, Google researchers found.
A “small collection of hacked websites" exploited vulnerabilities in Apple's iOS operating system, allowing hackers to covertly place "monitoring implants" on the phones of users who visited said websites, according to Ian Beer of Google's Project Zero security research team. The names of the hacked websites weren't disclosed by Google.
"Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring device," Beer wrote in a blog post late last week. "We estimate that these sites receive thousands of visitors per week."
The monitoring implants used by the hackers had the ability to steal private data like iMessages, photos and GPS location in real-time, according to Google researchers.
"The hacked sites were being used as indiscriminate watering holes against their visitors," Beer said.
Working with Google's Threat Analysis Group (TAG), the researchers discovered a total of 14 iPhone vulnerabilities related to five exploits. Seven of the vulnerabilities were tied to the iPhone's web browser, five were related to the kernel, and two were associated with separate sandbox escapes, according to researchers.
Google said it reported these issues to Apple on Feb. 1 2019 and provided the smartphone giant with a seven-day deadline. Apple issues a security update on Feb. 7 that covered the identified issues.
The separate and unique iPhone exploit chains identified by Google researchers covered almost every version of the iOS operating system, from iOS 10 through to the latest version of iOS 12.
"This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years," Beer said in a blog post announcing its findings. "For this one campaign that we’ve seen, there are almost certainly others that are yet to be seen."