Apple's Massive iPhone Attack: What Happened and How to Protect Yourself
Apple’s Massive iPhone Attack
It’s been a rough couple of weeks for Apple, as a discovery by Google has reported that for at least two years, hackers have been exploiting a set of iPhone vulnerabilities. This has resulted in the hacking of thousands of iPhones in the meantime, just by getting users to visit a number of websites.
iPhone hacking has been seen as quite the rare endeavor with mostly sophisticated professionals choosing high-target clients, but Google’s security research team, Project Zero has revealed that this has been a broad campaign allowing hackers to make use of Apple’s security vulnerabilities. This has included as many as 14 security holes, which have allowed hackers to target anything from the core operating system as well as exploiting two distinct sandbox escape vulnerabilities.
Apple has now confirmed that the attacks targeted China’s Uyghur Muslim community. When users visited the site in question to which they were baited into, hackers would inject their devices with malware and from there, cause havoc. This includes anything from stealing user files, access data like their iOS Keychains, which store passwords and other sensitive information, as well as monitor their location data.
A Mac and mobile malware research specialist from Malwarebytes, Thomas Reed says, “This is terrifying. We’re used to iPhone infections being targeted attacks carried out by nation-state adversaries. The idea that someone was infecting all iPhones that visited certain sites is chilling.”
Google has stated that the malicious sites were preset with powerful monitoring malware, which left any version of iOS from iOS 10 through to iOS12 vulnerable. The sites in question have been active for a number of years now, dating back to at least 2019, and have seen thousands of visitors on a weekly basis.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” Project Zero wrote. “We estimate that these sites receive thousands of visitors per week.”
Attacking a vast number of iPhone users has come as a shock to many, but not only is this one of the worst attacks that iPhone users have ever seen in terms of the scale of users targeted, but it also goes deep in terms of the information it could attain from users.
As soon as the malware in question is installed on a victim’s device, it could gain access to their photos, contacts, location data as well as passwords and other sensitive data in the system from the iOS Keychain.
Ian Beer, a security researcher at Google says, “Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device.”
This type of deep access means that attackers could also have the option of potentially listening or reading any communications that have been sent through encrypted messaging services. These include apps like WhatsApp, Signal, and iMessage.
This type of attack has also dispelled the notion that iPhone attacks are a million-dollar feat. Cooper Quintin, a security researcher who works at the Electronic Foundation’s Threat Lab explains, “The prevailing wisdom and math has been incorrect. We’ve sort of been operating on this framework, that it costs $1 million to hack the dissident’s iPhone. It actually costs far less than that per dissident if you’re attacking a group. If your target is an entire class of people and you’re willing to do a watering hole attack, the per-dissident price can be very cheap.”
Apple has recently released a statement disputing Google’s timeline as well as how Google characterized the attack, but did not refute the way in which the attack was accomplished.
“First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community,” the statement reads. “Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real-time,’ stoking fear among all iPhone users that their devices had been compromised. This was never the case.”
So what can you do? Beer says that users need to remain vigilant and remember that attacks like this can happen. “All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”
How to Keep Your iPhone Safe
There are a number of steps that you can take in securing your iPhone and making sure this type of attack doesn’t happen to you. Keep reading to find out what those steps are to ensure your smartphone is as secure as it can be.
1. Do Not Jailbreak Your Phone
Many Android users will argue that the beauty of their operating systems is the fact that they’re so customizable. Whilst this is true, Android has a higher hacking and malware attack rate in general.
Jailbreaking your iPhone will allow iPhone users to access software and apps that are not found on the Apple App Store, but at the same time, it will also expose your phone to certain malware, as well as viruses of all kinds. Additionally, as soon as you’ve jailbroken your device, you will void your warranty, which means that you will not be able to get any assistance from Apple should anything go wrong.
2. Update your iOS Regularly
Most of us are lazy when it comes to updating to the latest version of iOS software, but this is one of the best ways that you can protect yourself from hackers. By updating your device, you allow for Apple to install the latest security features that are available, as well as solve any bugs or weak points that hackers can take advantage of. To do this, all you need to do is open up the Settings app, select General, and then Software Update. If there is an iOS update currently available, you will be prompted to download and install it.
3. Invest in Reliable Antivirus Software
Antivirus software is designed so that viruses and malware are stopped in their tracks from entering and damaging your iPhone. If you don’t install an antivirus program on your smartphone, you run the risk of it being infected with spyware, malware and deadly viruses which will prevent your iPhone from working properly.
As you can see from recent reports, iPhones are not immune to hacker attacks, so it’s best to look into which antivirus software will work best for your needs, keeping your personal information safe at all times. Make sure to check out the best antivirus programs available for iPhones at the moment.
4. Make Use of the Six-Digit Passcode
Apple has had the six-digit passcode defaulted for some time now, however, there are many users who have reverted to the four-digit passcode or no passcode at all. The amount of possible combinations of a six-digit passcode in comparison to the four-digit passcode makes a huge difference to your iPhone security.
When you do set your passcode, be sure to remember to stay away from any birthdays, personal dates like anniversaries, names or other information that can quickly be uncovered by visiting your social media accounts. This is a rookie mistake that many people make, which makes your device highly susceptible to a security setback.
5. Get Your Hands on a VPN
A Virtual Private Network or VPN will keep your iPhone secure whilst you’re online, which is pretty much all the time now. No matter whether you’re tuning in to your favorite shows and need to get around geo-blocks, or need to use your mobile banking app, your VPN will be able to reroute your traffic to another server on the other side of the globe, making you invisible to your ISP, government agencies or third party hackers.
To find out what your best options are in securing your iPhone with a VPN, check out the top VPN apps for iPhone and iPad in 2019.
6. Disable Siri
Siri was a really cool feature introduced by Apple back in the day, but the virtual assistant has also proven to be quite the blabbermouth when it comes to revealing your personal information. Whilst usually asking for verification before you’re granted access to parts of your phone like your contacts, hackers have found ways of getting Siri to work around the password screen of your iPhone.
7. Stop Using Free Public Wifi
Many people don’t think twice about connecting to a free public wifi network, completely unaware that these spots can be a hacker’s sweet spot for breaking into your phone. Those who travel often will find it convenient to use their hotel or conference center wifi, but connecting to unprotected networks in shopping centers, cafes, airport terminals, parks or gyms can be far less secure.
The only way that free wifi networks can truly be secure is if you connect to your VPN prior to connecting to the wifi in question. If you don’t have a VPN to fall back on, use the data on your phone instead to remain as safe as possible.
8. Manage Your App Permissions
Check out all the apps found on your phone and determine whether they have more privileges than they should in order to get the job done. Remember than many of these apps will have access to things like your contact list, camera, microphone, and your location. Think about the permissions that some of these apps have and whether they’re true to their function. For example, does your jogging app really need access to your camera?
Additionally, remember to delete any apps that you may not have used for a long time. Not only will this free up precious space on your phone, but you also cut the risk of the apps in question getting hacked and consequently tapping into your sensitive data.
Apple prides itself on the security it provides its users, and in the past, hacking iPhones was quite expensive and much more difficult than hacking Android devices. This is certainly no longer the case, with Google’s external security team alerting the public that an attack targeting thousands of iPhone users has been going on for over two years.
By baiting users to various websites, their iPhones were infiltrated by malware no matter whether they had an older version of iOS running or even one of the latest ones. This meant that the user’s sensitive data was revealed to cybercriminals, which included their device’s keychain that contains all their passwords, as well as their chat histories. Even the user’s location was updated on a minute by minute basis.
There is no doubt that hackers are getting more sophisticated, especially when it comes to attacks carried out by nation-state adversaries. This means that your information could be monitored at all times without your knowledge.
Targeted people don’t have to be high profile individuals, but can be part of a certain ethnic group that is under surveillance. To thwart such attacks, users can take various steps in securing their protection, with the best options being investing in antivirus software or a VPN.