It could be shocking for anyone who has always rest assured that Apple was taking care of security better than any other company out there. As it turns out, iPhones are really not that secure after the discovery of a flaw in its security by Google.
Google’s Project Zero team found the flaw that made iPhone users vulnerable to data and privacy compromise as they visited certain websites. The more surprising aspect of the story is that this flaw had been there for more than two years.
There was no particular discrimination of victims in this particular case. When it comes to cybercrime, discrimination refers to hackers targeting a specific group of people and letting others go without any harm. In this particular case, there was no discrimination.
The hackers had set up certain websites that were always connected to an infected server. Any visitor who visited these websites opened door for malware to enter his/her device. The malware got access to all the private and personal data on the iPhone.
It would capture, collect, and disseminate the data pertaining to the person’s location. It further scooped their personal messages and any photos stored on the phone. It is unknown what the information was and is being used for.
However, the team behind Project Zero has revealed that the users’ information is not safe in any way after they have visited one of these websites. Encryption is of no use once a monitoring implant has been installed onto the device, which continuously collects real-time user data and sends it to the hackers.
According to the team, they also confirmed that the malware was designed to attack the key chain on the device. In simple terms, if you use an iPhone and you visit one of the infected websites, your passwords will also be visible to the hackers.
What’s even more surprising is that the hackers had been collecting data for over two years now. According to a rough estimate by the Project Zero team, hundreds of thousands of visitors must have visited those websites in the two years.
While Apple was busy showing the sleek looks of its new iPhones and the “improved” and “all-new” iOS 10 features, it was opening a door for the hackers to steal its users’ data at the same time. Of course, that’s not something that the company could have boasted, but the fact that the vulnerability remained intact until iOS 12 has to be worrying for iPhone users.
What makes matters worse is that Apple’s security teams were still not able to find the flaw. On the other hand, you have Google’s Project Zero team working specifically on zero-day vulnerabilities.
After the discovery of the security flaw, Google sent a report to Apple about it. The company fixed the issue as soon as it launched the latest patch for its iOS 12. It is surprising how company’s efforts to award millions of dollars in bug bounties were not enough to encourage someone to catch the vulnerability and report to Apple.
Perhaps, developers and programmers like to enjoy the peace of mind that iOS’ security cannot be compromised. The recent discovery of such a huge vulnerability and its un-discoverability for two years is a huge question mark not only for the giant smartphone maker but the developers of the community as well.
It has to be mentioned here that Google gives companies 90 days to fix any vulnerabilities that it discovers through Project Zero’s efforts. The company can fix the issue in 3-month time, otherwise Google can make the information about the issue public. This can be damaging for the company and its reputation.
Some people from the developer community raise questions about the working of Google’s Project Zero. They think it is not fair for Google to make the information about a company’s security vulnerabilities public. But the question is, “What if the company never fixes the issue because it is not accountable for its mistake in any way?”
Of course, Google is not the authority to slap penalties on other companies and the flaws in third party applications. However, it definitely has the right to protect public data, and inform the people about their data being stolen if the software maker is not doing anything about the issue.
For any iOS users, the only silver lining is that the attack from the website becomes null if they reset their phones. Wiping the data off the phone wipes away the malware as well. However, there are two caveats associated with that.
One, the data that has already been stolen from their devices is still out there on the internet and in the access of some hacker who could do anything with the passwords, photos, messages, etc. that they get their hands on.
Two, they are safe for only as long as they do not visit the same website again. At this point, iOS users would want to know which websites contain the malware. And that’s where Google’s 90-day policy makes sense. If there was not 90-day problem-fixing policy from Google, users would never know that their data was being stolen while the company they trust does nothing about it.
About Zero-day Vulnerabilities
In the world of hacking and antiviruses, or say programming, a zero-day vulnerability is one that developers or programmers have discovered just now. Since they discovered the vulnerability today, there is no chance they could have come up with a solution to this problem.
In simple words, the programmers had zero day or no time at hand to find a fix for the problem. However, if an attack takes place based on this zero-day vulnerability, it is termed as zero-day attack.
The damages done by zero-day vulnerabilities can be huge because it usually takes companies several weeks and months to fix the issue. You can realize that from Google’s 90-day policy of giving the companies time to fix the issue. If these issues were that easy to fix, Google would not give them three months to come up with a solution.
You must be logged in to post a comment.