An incredibly malicious hack has potentially exposed hundreds of thousands of iPhone victims.
Google researchers recently discovered that an unknown hacker has been using 14 separate security flaws, including especially devastating zero-day vulnerabilities, in iOS to attack iPhone users. But this isn't your typical cyberattack. The cyberthreat involves malicious software that can monitor every aspect of the phone and even take control of it. This is an eye-opener since iPhones have long been thought to be relatively safe when it comes to hackers. No longer. Here's what it means and why it changes much of what we've known about cyberthreats.
I teach a course on Cyber-leadership at Boston University. One of the core messages of the course is that any device or computer system is hackable. However, I also point out that while anything can be hacked, there are typically costs involved in doing so. That means it's more likely that some people or organizations will be hacked than others. Why? Well, because hackers will go after the easiest and most valuable targets with the greatest returns. This is sort of like a car thief who is more likely to steal an expensive car with the doors unlocked and the keys in it than an inspensive car that's locked up and which has an alarm.
"Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant." - Google Researcher
That's especially true of Zero-Day vulnerabilities, which are critical flaws in a program or an OS that can result in devastating vulnerabilities. The thing about zero-day vulnerabilities is that they are relatively rare. These are the crown jewls of hacking. So, when found by hackers they are sold and purchased on the dark web for five, six, or in some cases seven figures. If a hacker is going to spend that much to exploit a vulnerability then they are going to want a return on their investment.
So, if you take basic precautions and you're not a nation state or a large corporation the chances are that you're safe from the most malicious hacks. Clearly there are exceptions to that for ransomware attacks that are much less discriminating, or identity theft. However, most of these hacks are fairly easy to identify and prevent. Zero-day vulnerabilities are much harder, if at all possible, to prevent or for the typical user to detect. They can take over a device, access information, monitor communications, and even commandeer the device and take control of it. I've seen these up close in cyber-exercises I've conducted for my classes. In one case while showing my class the use of the TOR browser to access the dark web a hacker coomandeered my Apple laptop and wiped my entire disk, OS and all, in less than 15 seconds. (I use a burner laptop with no pesonal information or data for these exercises.)
However, iPhones have been considered to be among the safest devices when it comes to cyber vulnerabilities. That meant that the odds were pretty good you were safe on your iPhone as long as a nation state wasn't after you. (It's been shown by Israeli cyber security firm Cellebrite that they can hack any phone without access to the phone and without the user's knowledge or permissions. Cellebrite only provids its software to law enforcement agancies, althogh it's been claimed by some, but never coroborated, that the software was at one point available in-the-wild.)
Well, that math seems to have changed the way we calculate the odds dramatically.
Google's researchers found that the zero-day vulnerabilities on the iPhone could easily allow virtually unimpeded access to everything on the device, from messaging and emails to contact data, access to apps, and even control of the phone.
What's especially insidious about this particular hack is that it didn't target anyone in particular but pretty much anyone with an iPhone. All an iPhone user had to do to be exposed to the explout is to visit a particular website (Google didn't disclose which ones for obvious reasons). Without any further action on the part of the user the malicious software could instantly infiltrate their iPhone and take up shop to do its dirty work.
According to one of the Google researchers, Ian Beer, "Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week." That means that over the course of two years hundreds of thousands of devices may have been infected.
Stop and think about how many times you've clicked on an unassuming link in an email just to realize it wasn't at all interesting and then navigated away.
What To Do
So, what can you do? Well, if you've already been unlucky enough to visit one of these websites (which only Google and Apple know by name) over the course of the last two years your phone could already have been compromised. Of course, the thing is you wouldn't necessarily know if you've been compromised. Apple did patch the zero-day vulnerabilities within days of receiving notification from Google. If you update your iOS when it's suggested by Apple you're at least safe from that point forward. If you haven't updated your iOS do it now!
Once that's done, some basic digital hygiene will help you stay safe going forward. Since most hacks involve clicking on a link of some sort, here are the basic steps to take in order to protect yourself from most cyberrisk.
- Don't' click on any website links that you don't recognize. This is simple, if you don't recognize the URL don't click on it. Yes, I know, how obvious. You'd be surprised at how often this happens.
- If the URL does not start with HTTPS:// be especially learly. Ignore it unless you are sure of the sender and have taken the remaining steps below.
- Scrutinize the URL. Often you'll see a familiar name in the URL and be fooled into believing it's legit. For example americanexpress.mysupport.de is not an American Express URL.
- Scrutinize the sender. It's easy to spoof an email FROM address. If you're not sure send a separate email to the sender and ask if the email is legit. One of the most common forms of phishing emails that fool people into clicking on a link use this tactic since people's defenses go down when they recognize a clsoe friend's or colleague's email as the sender.
- Don't trust the URL link you see in your email. Hover over, or view the message source to see what the actual URL you're clicking on is.
- If you cannot contain your curiosity and desperately want to click on a link then keep a spare laptop (what I called a "burner laptop" earlier) that isn't connected to a local WiFi with other devices that could be compromised and that also has no personally identifiable information or senistive data on it.
- Teach your kids/spouse/partner/employees or anyone in your household or business with a web enabled device to follow all of these steps. One of the most often exploited vulnerabilities of most devices and organizations is a poorly educated user.
- Backup regularly. Your best fail safe is to have regular automated cloud backups of your files. This doesn't mean backing up once a year or once a month but daily. There are many inexpensive automated cloud-based options to do this. If you do nothing else as a result of reading this article at least do this.
- Most importantly, update your OS whenever you get a notification from your device or software vendor. The single greatest source of cyberrisk for every person or organization results from ignored patches or updates.
By the way, if you think you're somehow immune to cyberattack, think again. Cyberrisk is real and it's escalating. As with any other threat, you need to adjust your behaviors to recognize and protect yourself, your family, and your business.