Earlier this year, Google's Threat Analysis Group (TAG) stumbled upon a group of websites serving up attacks on iPhones.
Thousands of people a week visited these sites in what's known as a "watering hole" attack. All you have to do is visit the watering hole, or website, and you become a target.
In this case, iPhone users were the intended targets and were attacked with monitoring implants.
The successful attacks secretly turned iPhones into beacons, sharing private data with the hackers. The phones started broadcasting iMessages, photos, and GPS locations in real-time to the attackers' servers.
In other words, they know what you are saying, and they know where you are.
And it is an attack that has been going on for years. Undetected until now.
iPhone attack points to bigger issue around cyberattacks
This reminds us of what Col. Cedric Leighton, USAF (Ret.), told a regional SecureWorld conference this year:
"The problem with cyber is that you don't really feel it. It's not like a bomb goes off, and everybody's eardrums are shot. What you don't see is what's most important in this case."
And in the case of this mass iPhone cyberattack, what victims did not see was that they were suddenly sharing their private information with those behind the attack.
Google's Project Zero discovers more about iPhone Zero-Day attack
Google's Project Zero went to work on this mass iPhone monitoring attack because that's what the organization is all about. It goes after "Zero-Day" attacks which have never been seen before.
"Project Zero's mission is to make 0-day hard. We often work with other companies to find and report security vulnerabilities, with the ultimate goal of advocating for structural security improvements in popular systems to help protect people everywhere."
And in this case, it was not just a few iPhone users who needed protection—it was millions of them.
Project Zero discovered that those behind the attack redeveloped their methods and points of entry with each new version of iOS, the iPhone's operating system.
Project Zero's Ian Beer spells it out like this:
"TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years."
Clearly, the attackers are motivated.
Who would want to secretly hack and track iPhones?
Could it be a nation-state or government? Perhaps.
Could it be a cartel? Perhaps.
Could it be a cybercrime group that sells "crime-as-a-service"? Perhaps. That's a booming business right now. Read more in our story, Do You Want to Get Rich? Hackers Are Hiring and Looking for Business.
Here at SecureWorld, we often block blog comments where hackers, or those who hire them, try to sell their services: "Track your boyfriend's iPhone, he will never know you can do this" or "Who is your wife really texting all day? I used these hackers to find out, and I could monitor everything she was doing on her phone."
Research has shown a lot of these sales pitches are scams, but some actually do offer cybercrime for hire.
Regardless, there must be some entity involved which finds more value in secretly monitoring certain targets than in reporting the exploits to Apple.
Doing that could be worth up to $1 million, as the company announced at the Black Hat conference in August of 2019.
The Verge covered this one:
"Apple is now opening its bug bounty program to all researchers and the payout is increasing beyond the current $200,000 maximum. The very maximum is a $1 million payout for iOS vulnerabilities that let attackers control a phone without any user interaction."
And that's the type of attack we're talking about here.
Project Zero worked with Apple on iPhone vulnerabilities
In this case, Google's Project Zero worked with Apple, and the vulnerabilities have been patched. Apple sent out a special iOS security update to make this happen.
But the project's Ian Beer explains why this type of attack should change the way we approach our privacy and what we have on our phones:
"... for this one campaign that we've seen, there are almost certainly others that are yet to be seen.
Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted.
All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them."
It is an unsettling thought. However, it also is excellent advice.
[Technical users: Scroll to the the bottom of this page to see Google's technical details of the iPhone Zero-Day exploit.]
[Update on the Capital One hacker: How She Chose Her Targets]