A recent wave of iPhone hacking operations that infected “thousands of users a week” until January, has been brought to light by researchers at Google’s Project Zero security team. Apple’s iPhones are widely considered to be the most secure devices out there. The general perception is indeed true; however, the hacking demonstrates that despite the iPhone being the most secure platform, hacking may evolve on to any platform with some user negligence. Therefore, I believe it is important to educate ourselves on the best practices of internet security and privacy.
Hackers exploited a technology vulnerability that allowed the installation of spyware simply by visiting one of the infected websites. Typically, hacking often takes place in the form of ‘phishing’ attacks that impersonate a real website where the unsuspecting user enters their authentication details or private information which is then sent directly to the bad actors. However, this is an unprecedented case where an interaction, such as clicking of a link, was not required by the user in order for the attack to be successful.
The nature of the attack concerned me, because there does not seem to be a way to know whether a website is infected. Once the user has entered the website there is no clear indication as to whether your device has been inflicted either, as the spyware works behind the scenes stealing your private information. The attack, which remained covert for over two years, fetched crucial information from the affected users. This included access to the iPhone’s keychain app which contains passwords and as well as chat histories from encrypted services such as iMessage, WhatsApp and Telegram. I found it concerning that not only the users’ physical location was being shared, but also updated with feeds every minute.
A limitation in the attacks was perhaps the inconsistency of the spyware; the malware was cleared from memory after a restart of the phone
Devices running iOS 10 through to the latest version of iOS 12 were found vulnerable to the exploit, which includes the majority of the users. Google advised that it had forwarded the security concerns to Apple on 1 February. Apple promptly responded by releasing an operating system update that addressed the exploits on 7 February.
A limitation in the attacks was perhaps the inconsistency of the spyware; the malware was cleared from memory after a restart of the phone, until a user would revisit one of the compromised websites. In light of this information, some users may restart their devices in an attempt to cleanse their phones from malware. However, I would urge that a mere restart of the system is not enough; it does not negate the prior collection of private data which is non-accessible to you as a user.
One of the more astonishing things about this iPhone hack is that the implant was uploading data unencrypted.
So it would get your WhatsApp messages in plain text and make more of a mockery of the encryption by passing the info around unenrypted. https://t.co/U2d3fuVXvG
— Thomas Brewster (@iblametom) August 30, 2019
Moreover, it is very likely that the collected data may be used for authentication at other websites (where you may be registered) to steal further information in the future. For instance, hackers may use your credentials from Facebook to make their way into your Twitter account, assuming that you keep the same passwords on multiple websites.
Ian Beer from the security team at Google voiced similar opinions: “Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device.”
Therefore, I believe it is important to educate the digital technology community on best practices for internet security. First and foremost, always keep your device up-to-date so that you are protected from any identified exploits. Secondly, do not open links from people that you cannot trust. This will protect you from some of the most common hacking techniques – regardless of the device you are on. Ideally, create a unique password for each website; in the event that one of your passwords become known, your other accounts may not be affected.
A limitation that is often brought up is that you can only remember so many passwords. I would recommend using your browser’s built-in password suggestions that pop-up when you register on a new website. This feature suggests and also remembers passwords that include special characters such as “$’, “@“ and “#”, rendering anyone’s guess extremely difficult. Such preventive measures will significantly reduce the chances of you being hacked.
The motivation behind the hacks remains unclear, as anyone visiting the hacked websites could be inflicted with malware. However, I believe it formed a great opportunity to learn how hackers get away with stealing your private information and how to strengthen your online identity and privacy amid the increasing threats to cyber-security.
Mehroz Rasheed Abbasi is a tech analyst, author of the book “Swift Programming and Augmented Reality with iPhone” set to release later this year and an established iOS software developer. The views expressed in this article are author’s own and do not necessarily reflect the editorial policy of Global Village Space.