Google’s Project Zero has disclosed what might be the most significant 0-day iOS vulnerability in recent years that has reportedly plagued iOS users for over two years. In the report, it was found that iOS users can be attacked merely by visiting a hacked website. The scale of hacking can be gauged from the fact that the hacked websites received thousands of visits per week.
The websites were used not just for a massive watering hole attack against the visitors but also to install a monitoring implant on the device, as discovered by Google’s Threat Analysis Group.
The researchers were able to collect five separate and unique iPhone exploit chain which covers a total of 14 vulnerabilities including “seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes”.
The issue was reported by Google to Apple on February 1, 2019, and the latter rolled out iOS 12.1.4 update that patched these vulnerabilities on February 7, 2019.
Anyone who exploited the vulnerabilities could steal private data like iMessages, photos as well as real-time GPS location.
In the News: Apple launches its Independent Repair Provider program in USA
Since the 0-day vulnerability existed for about two years before it was patched, the exact magnitude of the hacks is uncertain, and more so since it affected devices running iOS 10 through iOS 12.
“Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you’re being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group,” Ian Beer, Google Project Zero researcher, explains in a blog post.
On Wednesday, Apple announced that they’d resume the Siri grading program after the update coming this fall, which will turn off the retention of Siri interaction recordings by default and will enable users to opt in to let the company use their audio samples. These audio samples will only be reviewed by Apple employees, as opposed to contract workers doing the same previously.
Also read: Snapdragon 855 Plus vs Apple A12 Bionic