Apple’s prized reputation for protecting its customers’ security and privacy has taken another hit, with the discovery that iPhone owners were susceptible to more than a dozen software vulnerabilities for at least two years.
A sustained hacking campaign that could have affected hundreds of thousands of iPhones was detailed by security researchers at Google in a series of blog posts late on Thursday.
Hackers would have been able to capture iPhone owners’ text messages, photos and device locations until Apple patched the flaw in February.
The news threatened to cast a shadow over Apple’s attempt to build anticipation for new iPhones, as the embarrassing report came just hours after the company announced that it would hold its next product launch event in Silicon Valley on September 10.
Google’s security warning also came hot on the heels of Apple’s apology this week for failing to disclose that contractors were listening to customers’ voice recordings when they used its virtual assistant Siri.
Apple has made protecting its customers’ personal information a cornerstone of its marketing in recent years, as it attempts to distance itself from the privacy concerns surrounding its Silicon Valley neighbours such as Facebook and Google.
Analysts have long suggested that the iPhone and its iOS operating system are more secure than rival smartphones running Google’s Android software.
So Apple watchers and security analysts were shocked by Thursday night’s disclosure from Google that a “small collection of hacked websites” had been used to infect what it estimated could be “thousands of visitors per week” over the course of more than two years.
“This is a huge find by Google’s team,” said Alex Stamos, Facebook’s former security chief and now a researcher at Stanford University, in a tweet.
“This is wild,” tweeted Marcus Hutchins, a security researcher best known for helping to stop the WannaCry attack in 2017. “Maybe I’m missing something, but it feels like Apple should have found this themselves.”
Google’s Threat Analysis Group “was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12”, wrote Ian Beer, a researcher at Google’s Project Zero team, which seeks out so-called “zero-day” or previously unknown vulnerabilities.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
Mr Hutchins speculated that state-sponsored actors may be behind the attack. “Generally there’s only a few governments who would throw zero-days around in that manner,” he said.
Apple did not provide a comment.
Though the details of the iPhone vulnerability were not known until now, Apple did acknowledge the attack when it issued the iOS 12.1.4 software update in February.
Apple said in its release notes that it had fixed a flaw whereby “an application may be able to gain elevated privileges”. It credited three Google researchers for discovering the flaw, which it said affected iPhones going back as far as 2013’s 5S model.