For many years, the iPhone enjoyed a reputation as an “unhackable” device. Whether this is due to its association with macOS (which, itself, is highly secure) or the fact that no high profile malware cases existed for a while, Apple rightly promoted its phones as a safer alternative to Android — a far more open system with malware problems of its own.
But as anyone familiar with Apple’s software ecosystem knows, security holes of some form have existed in every edition of iOS since the beginning. This is how amateur developers created jailbreak software, after all. And like clockwork, each time a new jailbreak was released, a security patch from Apple wasn’t far behind to patch up the hole.
One of the most significant security holes in iOS’s existence, however, wasn’t discovered by jailbreakers at all — but Google engineers. They found that several phony websites have been covertly hacking the iPhones of those who visited, and worst of all, they’d been up to it for years. Here’s how they did it, as well as how you can find out if your phone is secure from harm.
Google’s Project Zero identifies malicious websites that targeted iOS for years
According to a new blog post from Google’s Project Zero security research team, a stunning amount of malicious websites have been festering on the web and secretly hacking iPhones for years. These malicious sites contained code that exploited security vulnerabilities in earlier versions of iOS, with many relying on a series of exploits found in the Safari web browser.
If malware was successfully implanted in the victim’s iPhone, it would proceed to install monitoring software that was capable of snapping up private photos, text messages and GPS locations in real-time.
Project Zero estimates that thousands of iPhone users were tricked into visiting these malicious websites through various means like emails and spam, with the targeted operating systems spanning from iOS 10 to earlier versions of iOS 12. This proves the endeavor was a sustained, multi-year effort to hack as many iPhones as possible.
What sites were installing malware? Is my phone compromised?
For the safety of readers and the morbidly curious, Project Zero did not list or name the malicious websites involved in the hacking effort. What they did reveal, however, was that they identified the threat to Apple back in February of this year and that Apple subsequently patched the security flaws in several iOS software updates.
Project Zero also stated that the affected population was limited in scope, with several individuals being “VIPs” potentially of interest to nation-state actors, which points a finger at the likely culprits.
If a nation were indeed behind this hacking effort, it was more likely concerned with monitoring political dissidents or surveilling “risky” civilians. In their words, “the attackers monitored the private activities of entire populations in real-time.”
So let’s say you were unfortunate enough to visit one of these compromised websites without knowing. If you’re currently on the most up to date version of Apple’s operating system, you’re already safe.
The latest releases of iOS 12 contained security patches that addressed the issue and have been this way since Google alerted Apple about the threat. This means that if you’re not on the latest version of iOS, it’s absolutely time to update your device. The fact that such a big exploit sat unaddressed for so long means it’s likely that other hackers may have the same idea.
If you have reason to suspect your phone is or was compromised at any time, the best thing you can do for peace of mind is to back up and restore your phone to factory settings.
If you use iCloud to back up your device, this is especially helpful, as the data it recovers upon restoration is added to a completely clean copy of the operating system. That way, any leftover code from the malware will be completely eliminated.
As bad as amateur hackers are, the scariest threats our digital society may face in the future will come from cyber military units and nation state actors. Not only do they have far more resources at their disposal than the average basement dweller, but they’re also far more organized with more hackers on the job.
Thankfully, unlike with real weapons of war, simple online precautions can keep you safe from this menace. Just make sure not to click any strange links in the meantime.