Google and Apple may be competing with each other for the best devices and market share, but they are allies in the war against cybercrime. Proof of that was revealed when Google's Project Zero security research team informed Apple that they had discovered an iPhone hack and had identified 14 security flaws in iOS versions 10 through 12. These hacks gave the attackers access to almost every level of the iPhone’s software. According to Wired Magazine, “Once installed, it could monitor live location data, or be used to grab photos, contacts, and even passwords and other sensitive information from the iOS Keychain.”
How The Massive iPhone Hack Happened
Google’s “Project Zero” researcher Ian Beer was the researcher who announced the discovery of the hack, which was quite intricate. In order to be infected, an iPhone user would only need to visit a certain group of websites and view pages. No other action by the user was required. The code on these websites included calls to five “exploit chains” -- a sequence of vulnerabilities in iOS that allowed progressively deeper access to data and functions within the phone.
According to Thomas Reed of Malwarebytes, the hacks made almost every bit of encrypted data within an iPhone available to the hackers, including:
Your phone’s unique identifiers, including its phone number and serial number
- Your location
- All your contacts
- Your call history
- All your email
- All your text messages
- All your notes in the Notes app
- All your stored/saved passwords in Keychain
...and many more. See the complete list on Reed’s blog post, here.
And what’s just as scary was that it’s entirely possible that it wasn’t just the hackers who had access to all of the phone’s personal data. While the hack itself was very sophisticated, Wired Magazine says that how the hackers wrote the rest of their code was very sloppy. It failed to encrypt the data that the hack sent back to the hackers, meaning that all of the data was available for anyone with intermediate knowledge of internet protocols to intercept and read.
Another flaw of the hack was that it was not persistent, so it disappeared after each reboot or update of iOS. But once the user returned to the same websites, they had the potential to be reinfected.
Who Was Targeted
Ian Beer’s original post did not reveal the identities of the infected websites, he seemed to imply that the websites were related to a specific ethnic or political group probably outside of the United States. This close-knit group of sites is referred to as a “watering hole” for a group. In the past, there have been very few successful iPhone hacks, and these hacks have been extremely expensive. Estimates say that hacking an individual iPhone used to cost as much as $1 million to $2 million. But with the potential of such a watering-hole attack, the cost per individual hack drops significantly.
These vulnerabilities were present in almost every version of iOS from 10 through 12.1.3, and remained unknown until recently. Apple patched iOS with version 12.1.4.
Was Your iPhone Hacked?
Chances are, your phone was not among those that was hacked. Often, personally identified information (PII) obtained in hacks like this (or breaches of your individual PC, your company’s servers, health care companies, insurance companies, vendors, customers, credit bureaus, banks, and so on) eventually makes its way to the Dark Web. There, it is sold to other criminals who hope to exploit your information by stealing your identity, obtaining credit in your name, or otherwise doing you harm.
That is why, as part of our complete Business Protection Toolkit, we provide Advanced Identity Monitoring, which includes ID monitoring (including Dark Web scans of your and your staff’s personal information) and $1,000,000 in resources to repair stolen IDs.
What To Do Next
While the chances of your being a victim of this particular iPhone hack are slim, the chances are much greater that your company information will be breached. Cyber Security, new threats, and new solutions all change daily, and unless your are partnered with a company that is up to date on it all, you and your company can be at risk...especially if your business has access to personally identifiable information, health information or financial information. Talk to the experts at Digital Uppercut to find out what we can do to help you keep your business and your data safe. Contact us online, or call us at 818-913-1335.