iPhone hacks: Secure iOS and OSX is a ‘myth’

Apple’s iPhones, like the Californian tech giant’s products at large, have long held a reputation for the integrity of their in-built security. 

And they should— Apple posted revenue of US$53 billion in Q3 this year. At US$26 billion, sales of the iPhone accounted for just shy of half of that figure. 

That’s why today’s news is so alarming. Google’s Project Zero— tasked with uncovering security vulnerabilities with an overall mission “to make 0-day hard”— uncovered “what may be one of the largest attacks against users ever.”

Indiscriminate iPhone attacks

The group announced yesterday (August 29) that they had discovered a series of hacked websites that were delivering attacks designed to hack iPhones— and had been doing so for years, on a massive scale. 

“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” read a post by Project Zero’s Ian Beer.

The infected or ‘boobytrapped’ websites were said to discreetly implant malicious software to gather contacts, images, messages and other data— even real-time location could be compromised. The exploited information would be relayed back to an external server every 60 seconds.  

“We estimate that these sites receive thousands of visitors per week,” said Beer, who added that his team had discovered attackers were exploiting 12 separate security flaws to compromise devices. 

“Real users make risk decisions based on the public perception of the security of these devices,” said Beer. “The reality remains that security protections will never eliminate the risk of attack if you’re being targeted.”

On learning of the vulnerability in February this year, Apple issued patches (“almost every” iOS version was vulnerable), but the damage to its previously enviable reputation for security is now in question, if not already in a state of deterioration. 

No ‘completely secure’ OS

While potentially major software vulnerabilities are unearthed by the day, it’s much rarer for them to be discovered “in the wild”, being actively exploited.  

“For a long time, there was a myth that iOS and OSX are secure operating systems and don’t need any security systems like anti-malware to protect them,” Boris Cipot, senior sales engineer at Synopsys, told TechHQ. 

The ongoing attack shows that there “is no such thing as a completely secure operating system,” said Cipot, who said the discovery should serve as a “wake up call” to anyone, or any business, under the impression that iOS phones are invulnerable to malware.

“Apple surely did a good job of preventing attacks or making them harder to execute by restricting how the software can be installed and where from. 

“However, this is a control process that lowers the risk of security breaches rather than eliminating it. 

“The level of complexity in today’s software development and the developed functionalities alone bring a certain risk factor and, with that, the possibility for an attack. When other software is installed on the operating system, the risk increases further,” said Cipot.  

Telesoft Technologies’ Field Application Engineer, Raj Kapoor, said despite the indiscriminate nature of the attack, “it doesn’t take a far stretch of the imagination to realize just how big a breach this attack could be.”

“[…] if a high-value target’s phone is breached, such as a state member or politician, would this information be leaked or sold to unscrupulous parties? The answer is probably yes.”

If any public case study was needed for CIOs to arm their teams with Blackphones, this was probably it.