Google’s Project Zero team was the first to let Apple users know iPhones and related Apple products have been subjected to a breach, Forbes reported Sunday (Sept. 1).
About 1 billion users learned “hacked websites” were used to infiltrate iPhones over the past two years.
Since the attack was sophisticated, scaled and targeted along geographic and demographic lines, a nation state-sponsored perpetrator is suspected.
TechCrunch said Saturday (Aug. 31), “sources familiar with the matter said the websites were part of a state-backed attack — likely China — designed to target the Uyghur community in the country’s Xinjiang state.”
The breach comes on the heels of Apple’s confirmation that the iPhone 11 will be launched Sept. 10.
Two researchers, Natalie Silvanovich and Samuel Groß, who work alongside Google’s security initiative Project Zero, found in July that there were some “interactionless” malicious bugs in iOS that allow hackers to take control of an iPhone through iMessage without even making the victim engage with the texts or click a link.
They found a total of six bugs, and if they were sold on the market, they would be worth upwards of $5 million.
The details of the exploits are being kept a secret because Apple’s iOS 12.4 path hasn’t completely fixed the issue. Four out of the six bugs can trigger a malicious code on an iOS device, and a user doesn’t even need to do anything. Simply sending the message to the phone will execute the code once a person opens and looks at the message.
Two of the bugs allowed a malicious attacker to leak data from memory and then read files from the device with no user interaction.
“There have been rumors of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices,” Silvanovich said in an abstract of her talk.