The potential impact of the latest attack on iPhones is massive, not to mention hugely concerning for every user of Apple’s famous smartphone.
That simply visiting a website can lead to your iPhone being hacked silently by some unknown party is worrying enough. But given that, according to Google researchers, it’s possible for the hackers to access encrypted messages on WhatsApp, iMessage, Telegram and others, the attacks undermine the security promised by those apps. It’s a stark reminder that should Apple’s iOS be compromised by hidden malware, encryption can be entirely undone. Own the operating system, own everything inside.
Among the trove of data released by Google researcher Ian Beer on the attacks was detail on the “monitoring implant” hackers installed on the iPhone. He noted that it had access to all the database files on the victim’s phone used by those end-to-end encrypted apps. Those databases “contain the unencrypted, plain-text of the messages sent and received using the apps.” The implant would also enable hackers to snoop on Gmail and Google Hangouts, contacts and photos. The hackers could also watch where users were going with a live GPS location tracker. And the malware stole the "keychain" where passwords, such as those for all remembered Wi-Fi points, are stored.
Shockingly, according to Beer, the hackers didn't even bother encrypting the data they were stealing, making a further mockery of encrypted apps. "Everything is in the clear. If you're connected to an unencrypted Wi-Fi network, this information is being broadcast to everyone around you, to your network operator and any intermediate network hops to the command and control server," the Google researcher wrote. "This means that not only is the end-point of the end-to-end encryption offered by messaging apps compromised; the attackers then send all the contents of the end-to-end encrypted messages in plain text over the network to their server." Beer's ultimate assessment is sobering: "The implant has access to almost all of the personal information available on the device, which it is able to upload, unencrypted, to the attacker's server."
And, Beer added, even once the iPhone has been cleaned of infection (which would happen on a device restart or with the patch applied), the information the hackers pilfered could be used to maintain access to people's accounts. "Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device.
Iphone users should upgrade to the latest iOS as soon as they can to get a patch for the flaw, which was fixed earlier this year. Apple did not comment.
The attack has a significantly wider impact than a previously reported WhatsApp-based hack. In May, a human rights lawyer in the U.K. was targeted by iPhone malware allegedly created by Israeli firm NSO Group. In that case, the hack was limited and targeted, launching only when a call was made to the WhatsApp of the victim. But in the latest attacks, thousands could've had their data stolen—the unnamed websites that launched the malicious code had thousands of visitors, according to Google.
Zuk Avraham, CEO of mobile security firm ZecOps, said this was likely only the tip of the iceberg. Hundreds of thousands could well be infected with similar malware, he warned. (Apple had not responded to a request for comment at the time of publication).
Avraham said he'd analyzed many cases of attacks on iPhones and iPads. He said he wouldn't be surprised if the number of remotely infected iOS devices was anywhere between 0.1% and 2% of all 1 billion iPhones in use. That'd be either 1 million or 20 million.
"The only way to fight back is to patch vulnerabilities used as part of exploit chains while strategic mitigations are developed. This cannot be done effectively solely by Apple without the help of the security community," Avraham added.
"Unfortunately the security community cannot help much due to Apple’s own restrictions. The current sandbox policies do not allow security analysts to extract malware from the device even if the device is compromised."