Massive iPhone Hack

Google has just published research showing that an iPhone-based cyber-attack has been going on for the past two years at least. The largest iPhone attack in history, this long-term cybercrime effort has been infecting iOS users with malware that steals their private data.

How Did This Hack Happen?

Known as a “watering-hole” attack, this cybercrime method works by hacking websites so that they infect visitors with malware. It didn’t even require victims to click a link or select a file to download – just by visiting the site on their iPhone, they were infected.

“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week,” said Google’s Ian Beer in their post about the vulnerabilities.

Are You Safe?

Don’t worry – if you’re currently an iPhone user and you keep your operating system updated, then you’re secure. Apple released a patch for the vulnerability back in February of this year.

However, even though you’re safe now, you may have been hit prior to the patch, and not even know it. If you were infected a year ago, then your data was stolen back then, and will already have been compromised.

What Data Was Breached?

Apple expert Jonathan Levin describes the target information as “juicy data”, which includes:

  • Passwords
  • Encrypted messages
  • Locations
  • Contacts

Essentially, the hackers designed the malware to specifically go after the most valuable information you could get off a victim’s iPhone.

Who Is Responsible?

Unfortunately, an attack of this scale is difficult to narrow down to a single attacker, or even a group, unless they were to take credit. However, it is worth noting that Google’s investigation discovered five exploit chains with 14 vulnerabilities, one of which was an active zero-day exploit. That is, Apple had a long list of outstanding bugs that they failed to patch for years – they certainly carry some portion of the blame.

This is yet another example of why it’s important to keep your technology patched and updated. While in this case the necessary patch wasn’t released for years, in most cases, regular patch management is an effective way to protect yourself against known


Like this article? Check out the following blogs to learn more:

The Need for Cybersecurity Expertise at the Board Level for Banking

The new Health Industry Cybersecurity Practices (HICP)

NIST’s Small Business Cybersecurity Corner