Aug 30, 2019

Report: Websites hacked iPhones for years

A Brazillian crowd records a Luan Santana concert on iPhones in August, 2019. Photo by Mauricio Santana/Getty Images

According to a report from Google's security research team Project Zero, hacked websites implanted surveillance software onto iPhone users between 2016 and their discovery in February of this year.

Threat level: Project Zero alerted Apple in February to attacks they found, and Apple patched the security flaws fueling the atttacks that month. If you use the most current version of the operating system, you are protected from these attacks, and the surveillance software only survived until a victim restarted their phone.

Details: According to the report written by Project Zero's Ian Beer, the malicious websites have been stringing together vulnerabilities in Apple's security for models as early as the 5S in different ways since 2016, changing tactics whenever the operating system was updated.

  • Google found a total of five different chains of vulnerabilities, making use of a total of 14 vulnerabilities.
  • The sites would then install surveillance software onto any phone that visited, making no attempt to limit the spread of the malware beyond the whoever visited the sites.
  • The sites still receive thousands of visitors a week, by Google's estimation.

The big picture: Though the report doesn't document which sites delivered the attacks (or who set the sites up), they likely impacted large numbers of victims.

  • Attacks like this are expensive to acquire — on the open market, methods to secretly install software on iPhones can cost millions of dollars — so they are typically used in very narrow attacks.
  • The breadth of this incident was surprising, and could raise public questions about Apple's reputation (and claims) for superior smartphone security and privacy.

Why it matters: What sets this incident apart is that the iPhone vulnerabilities were used to indiscriminately hack phones in bulk.

  • That's rare, and could be a black eye for Apple.
  • But severe vulnerabilities will never be totally preventable. Google and Apple have both seen potent vulnerabilities in the past, and will see them again.

Go deeper

Coronavirus dashboard

Illustration: Aïda Amer/Axios

  1. Global: Total confirmed cases as of 3 a.m. ET: 5,410,228 — Total deaths: 345,105 — Total recoveries — 2,169,005Map.
  2. U.S.: Total confirmed cases as of 3 a.m. ET: 1,643,499 — Total deaths: 97,722 — Total recoveries: 366,736 — Total tested: 14,163,915Map.
  3. World: White House announces travel restrictions on Brazil, coronavirus hotspot in Southern Hemisphere Over 100 coronavirus cases in Germany tied to single day of church services — Boris Johnson backs top aide amid reports that he broke U.K. lockdown while exhibiting symptoms.
  4. Public health: Officials are urging Americans to wear masks headed into Memorial Day weekend Report finds "little evidence" coronavirus under control in most statesHurricanes, wildfires, the flu could strain COVID-19 response
  5. Economy: White House economic adviser Kevin Hassett says it's possible the unemployment rate could still be in double digits by November's election — Public employees brace for layoffs.
  6. Federal government: Trump attacks a Columbia University study that suggests earlier lockdown could have saved 36,000 American lives.
  7. What should I do? Hydroxychloroquine questions answeredTraveling, asthma, dishes, disinfectants and being contagiousMasks, lending books and self-isolatingExercise, laundry, what counts as soap — Pets, moving and personal healthAnswers about the virus from Axios expertsWhat to know about social distancingHow to minimize your risk.
  8. Other resources: CDC on how to avoid the virus, what to do if you get it, the right mask to wear.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.

Updated 58 mins ago - Politics & Policy

U.S. coronavirus updates

Data: The Center for Systems Science and Engineering at Johns Hopkins; Map: Andrew Witherspoon/Axios. This graphic includes "probable deaths" that New York City began reporting on April 14.

The CDC is warning of potentially "aggressive rodent behavior" amid a rise in reports of rat activity in several areas, as the animals search further for food while Americans stay home more during the coronavirus pandemic.

By the numbers: More than 97,700 people have died from COVID-19 and over 1.6 million have tested positive in the U.S. Over 366,700 Americans have recovered and more than 14.1 million tests have been conducted.

World coronavirus updates

Data: The Center for Systems Science and Engineering at Johns Hopkins; Map: Axios Visuals

Japan's economy minister outlined plans on Monday to end the nationwide state of emergency as the number of new novel coronavirus cases continues to decline to fewer than 50 a day, per Bloomberg. Japan has reported 16,550 cases and 820 deaths.

By the numbers: Over 5.4 million people have tested positive for the virus as of Monday, and more than 2.1 million have recovered. The U.S. has reported the most cases in the world (over 1.6 million from 13.7 million tests). The U.K. is reporting over 36,800 deaths from the coronavirus — the most fatalities outside the U.S.