Google reveals years-long 'indiscriminate' iPhone hack

Most of the vulnerabilities targeted were found in the iPhone's default Safari web browser

(FILES) In this file photo taken on September 9, 2015 a reporter walks by an Apple logo during a media event in San Francisco, California. Apple sent out invitations on August 29, 2019 to a September 10 event at its Silicon Valley campus where it is expected to unveil a new-generation iPhone.In its trademark, tight-lipped style, Apple disclosed little about what it plans to spotlight in the Steve Jobs Theater at its headquarters in the city of Cupertino.For years now, Apple has hosted events in the fall to launch new iPhone models ahead of the Christmas holiday shopping season. / AFP / Josh Edelson

Apple will pay a reward of Dh3.7m to any hacker who can remotely gain full control of an iPhone without the knowledge of its owner. AFP

* Agence France Presse
Aug 30, 2019
Powered by automated translation

Google security experts uncovered an "indiscriminate" hacking operation that targeted iPhones over a period of at least two years and used websites to implant malicious software to access photos, users' locations and other data.

In a post on the blog of Google's Project Zero security taskforce, cyber experts did not name the hacked websites hosting the attacks, but estimated they received thousands of visitors a week.

“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” said Project Zero's Ian Beer.

Once installed, the malicious software “primarily focused on stealing files and uploading live location data,” Mr Beer said, adding it had been able to access encrypted messenger apps like Telegram, WhatsApp and iMessage.

Google hangouts and Gmail had also been affected, he added in the post, which provided a detailed breakdown of how the malicious software targeted and exploited iPhone vulnerabilities.

Most of the vulnerabilities targetted were found in the iPhone's default Safari web browser, Mr Beer said, adding that the Project Zero team had discovered them in almost every operating system from iOS 10 through to the current iOS 12 version.

Read More
Apple's decision comes after privacy concerns were raised earlier this month. Getty
Apple offers Siri review opt-out for users
Apple sheds $44bn of market value as fears grow over impact of tariffs

Once embedded in a user's iPhone, the malicious software sent back stolen data, including live user location data back to a “command and control server” every 60 seconds.

Mr Beer said Google had informed Apple of the attacks in February, and Apple subsequently released a security patch.

Earlier this month, Apple said it will pay a reward of $1 million to any hacker who can remotely gain full control of an iPhone without the knowledge of its owner.

The company is expanding its "bug bounty" programme - launched in 2016 and which earmarked as much as $200,000 in reward money for uncovering security issues. Starting next month, anyone can participate in the programme that was previously by Apple invite only.

Long the finacial driver of Apple, iPhone revenue was down 12 per cent from last year to $26 billion in the third quarter.

The tech giant sent out invitations on Thursday to a September event at its Silicon Valley campus where it is expected to unveil a new-generation iPhone.

iPhoneWhatsAppTechnologyApple
Weekend Edition
More from the national