The researchers at Google’s Threat Analysis Group discovered a set of hacked websites which were being used in indiscriminate ‘watering hole’ attacks against their visitors, using iPhone 0-day. ‘Zero day’ refers to an exploit which takes advantage of a vulnerability that the impacted company is not aware of. This means, in the case of Apple, the company had “zero days” to find a fix
It was the ease of the attack which also surprised the Google researchers; simply visiting the hacked site was sufficient for the exploit server to attack a device. When an attack was successful, the hackers were able to install a monitoring implant. There may have been thousands of such attacks taking place each week, until the flaw was addressed.
In terms of what the malicious code could do, Motherboard reports that the code was primarily aimed at stealing files and uploading live location data. The malicious implant requests commands derived from a command and control server, working every 60 seconds.
While the specific iPhone vulnerabilities have now been patched, there are likely to be more risks that have yet to be discovered by mobile phone operators, according to John Aisien, CEO of Blue Cedar. Speaking with Digital Journal he notes that much of the media have said how security software promise against this type of attack. However, with this incident the security software is actually the scapegoat here.
The real culprit, Aisien argues, is the security software update integration time. In other words, the lapse in the time that the chosen security puts out an update (which happens all of the time), and when the vendor is able to integrate it successfully. This is something that’s often grueling and massively overlooked as a threat.
Aisien states: “Mobile device security has historically been a slow-moving and often frustrating undertaking, but the result has created spikes in mobile device weaponization.”
This beings with it new vulnerabilities for mobile devices: “This raises profound concern about the security of the devices we carry around on an everyday basis, and which we increasingly use to access and process both personal and corporate data. By hacking into popular mobile apps like WhatsApp and iMessage, cybercriminals can gain access to sensitive information like encrypted messages, personal health information, location data, and in extreme cases, things like industrial plans or sovereign policies like we saw with the recent Huawei news in Africa.”
He expands on the main reason for the iPhone attack and other potential attacks: “This type of attack will come as a shock to some, as it goes against the security promised by these types of applications. But the security software likely isn’t the culprit here – it’s possible this breach is the result of a lapse in the security update integration time.”
And it terms of what needs to be done, he recommends: “Companies should be responsible for immunizing their applications to prevent potential devastation, as ineffective mobile device and data security is something that will continue to generate concerns in the coming years.”
