Experts from Google Project Zero uncovered the iOS vulnerability. This team was responsible for uncovering information on Meltdown and Spectre in early 2018.
Google Project Zero uncovered a zero-day exploit that allowed malware sites to steal iPhone data. Passwords, geolocation data and user photos could all be compromised in the attacks. A code inserted into these sites attacked devices through their web browser, taking advantage of system vulnerabilities. Google Project Zero uncovered a total of 14 such vulnerabilities.
The virus code was active on all versions of iOS, including iOS 12. The attacks did not work on iPhone XS and XR, which had A12 chips installed. However, users of all iPhones no longer have to worry, because the experts who discovered the vulnerability first informed Apple about this issue, only publishing their study after the company had successfully fixed the problem in a new software update. The exploit was active for over two years before it was discovered.
According to the Project Zero report, Safari and other browsers using the WebKit plugin became targeted in these attacks. Users could hack into both iPhones and iPads, however only smartphones were specifically targeted during these attacks.
Out of 14 vulnerabilities, half of them were related to the WebKit plugin, another five were linked to the core of the operating system, and the remaining two allowed hackers to overrule restrictions on the application sandbox, where apps could be executed independently.
After loading on the phone, the virus gained super user rights (root), and then updated hackers’ accounts every minute with decrypted data from various apps.
Zero-day exploits are the most dangerous out of all information security vulnerabilities, because neither users nor developers are aware of them. This means that hackers can easily take advantage of this type of vulnerability, because even when it is discovered, programmers will need some time to fix it. That’s why researchers working for companies like Project Zero play a crucial role in protecting users from potential threats.
Whenever cybersecurity experts discover a new threat, they start by informing developers. Project Zero informed Apple about the vulnerability back in February 2019. The information was shared with the public only on August 29, 2019, after all iOS users updated their software.
Share this with your friends!