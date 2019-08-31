Security researchers at Google uncovered a "sustained" -- at least two years -- and indiscriminate campaign to hack iPhones through certain websites, allowing attackers to steal messages, files and track location data.

In a blog post published Thursday, Ian Beer, a security expert on Google's Project Zero, detailed how hackers had been using malicious websites to exploit an iPhone software vulnerability. The post did not name the websites or detail how many people were victimized.

"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," Beer wrote. "We estimate that these sites receive thousands of visitors per week."

The implant also collected password keychains, messages, address books and other personal information from users' apps, including WhatsApp, Telegram and Gmail.

This type of widespread, random attack is rare, and it may be one of the biggest attacks ever on iPhone users. But there was a limit to the malware's power -- it was erased if the iPhone was restarted, freeing the users unless they returned to one of the malicious websites.

"This is definitely the most serious iPhone hacking incident that's ever been brought to public attention, both because of the indiscriminate targeting and the amount of data compromised by the implant," said former U.S. government hacker Jake Williams, the president of Rendition Security.

Williams said the spyware implant wasn't written to transmit stolen data securely, suggesting an authoritarian state was behind it. He speculated that it was likely used to target political dissidents.

Apple did not immediately respond to a request for comment from The Washington Post.

As Google's external security team, Project Zero researchers are dispatched to find all manner of weaknesses in popular technology. Since it was created in July 2014, the team has found and reported nearly 1,600 hardware and software vulnerabilities. But Project Zero has taken heat for its tough tactics: after reporting a bug, the team gives the vendor 90 days to fix it before Project Zero discloses the details publicly. In some cases, Google will offer an additional 14-day grace period.

Google contends that the hard deadline produces the best results. Earlier this month, Project Zero said that about 95.8% of the bugs it finds and reports are patched before the 90-day deadline.

But when Project Zero informed Apple of the breach on Feb. 1, it gave the tech giant seven days to come up with a fix, citing the need for urgency. The iPhone maker released a software update to fix the vulnerability on Feb. 7.

Apple is notoriously guarded with its products, shielding them from even well-meaning hackers looking to probe vulnerabilities in its operating system. But the company gradually opened its products up to researchers, and recently announced plans to release a hacker-friendly phone to certain experts in the interest of uncovering vulnerabilities faster.

And at the Black Hat security conference in Las Vegas earlier this month, Apple's head of security engineering said the company will pay as much as $1.5 million for a "bug bounty" to any researcher who discovers successful attack techniques on its operating system and discretely reports them to Apple.

In the blog post, Beer wrote that he didn't want to try to put a price tag on the attacks, but said that "$1 million, $2 million, or $20 million" seemed low given the attackers' ability to "monitor the private activities of entire populations in real time."

Beer said that the discovery should dispel any notion that it costs a million dollars to successfully hack an iPhone. That's a reference to the case of a United Arab Emirates dissident whose iPhone was infected in 2016 with so-called zero-day exploits, which have been known to fetch such high prices.

"Zero day" refers to the fact that such exploits are unknown to the developers of the affected software, and thus they have had no time to develop patches.

And while this operation ultimately failed as it was discovered by Project Zero, Beer made clear that there are almost certainly more lurking and preying on people.

"All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them."

Information for this article was contributed by Taylor Telford of The Washington Post and by Frank Bajak of The Associated Press.

