Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Bug Google Iphone IT

Google Says Hackers Have Put 'Monitoring Implants' in iPhones For Years (theguardian.com) 68

An unprecedented iPhone hacking operation, which attacked "thousands of users a week" until it was disrupted in January, has been revealed by researchers at Google's external security team. From a report: The operation, which lasted two and a half years, used a small collection of hacked websites to deliver malware on to the iPhones of visitors. Users were compromised simply by visiting the sites: no interaction was necessary, and some of the methods used by the hackers affected even fully up-to-date phones.

Once hacked, the user's deepest secrets were exposed to the attackers. Their location was uploaded every minute; their device's keychain, containing all their passwords, was uploaded, as were their chat histories on popular apps including WhatsApp, Telegram and iMessage, their address book, and their Gmail database. The one silver lining is that the implant was not persistent: when the phone was restarted, it was cleared from memory unless the user revisited a compromised site. However, according to Ian Beer, a security researcher at Google: "Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device."

This discussion has been archived. No new comments can be posted.

Google Says Hackers Have Put 'Monitoring Implants' in iPhones For Years

Comments Filter:
  • by AHuxley ( 892839 ) on Friday August 30, 2019 @09:50AM (#59140896) Journal
    NSA?
    Re "The one silver lining is that the implant was not persistent"
    They got the voice print they needed. Thats not a "silver lining".
  • by Anonymous Coward on Friday August 30, 2019 @09:54AM (#59140926)
    How the fuck is it possible to recieve malware on such scale by just visiting a website?
    • by bill_mcgonigle ( 4333 ) * on Friday August 30, 2019 @10:36AM (#59141094) Homepage Journal

      > How the fuck is it possible to recieve malware on such scale by just visiting a website?

      Chained exploits, usually. A small compromise in X, Y, & Z gets you the whole deal.

      People tend to dismiss local privilege escalation exploits, because the one exploit isn't "that bad" without a remote exploit, but then as soon as there's a remote exploit, they chain together - sometimes nine or ten other exploits - and get local root.

      It's usually a result of bad memory management which is endemic in C/C++ programming. Rust isn't a magic bullet, but watch for somebody to enter the market with a Rust-based smartphone OS and start to gain traction.

      It might be possible to do a secure smartphone with C/C++ using only the top 1% of programmers, but the other 99% seem to want jobs too. Empirically, the status quo makes it impossible to build a secure OS.

      Zerodium will pay you $2M to shut up about your exploit stack so they can sell it to spooks, so there are plenty of people spending their days looking for these exploits.

      The take home message: your phone is vulnerable, even if you have all the patches installed. Don't trust it for secure computing. Engage in evasive measures frequently when you have to violate that rule to make money, and don't use biometrics for authentication ever.

      • by dfghjk ( 711126 ) on Friday August 30, 2019 @10:52AM (#59141166)

        What is a "Rust-based smartphone OS" and are you suggesting that only Rust considers memory management?

        How much "C/C++" is required for a "smartphone OS" to be C/C++-based?

        If applications run in virtual machines and use memory-safe development techniques, how much does it matter that unrelated code is written in "C/C++"?

        Isn't it important that the code being attacked actually have vulnerabilities? Would that not be the browser in this case? Do you think that making a Rust-based OS spontaneously fixes browser vulnerabilities?

        It would appear that you know enough to drop some buzzwords and post some terrifying conclusions but not enough to actually make much sense.

        • by Anonymous Coward on Saturday August 31, 2019 @12:58PM (#59144280)

          "use memory-safe development techniques"
          Only a small number of developers are capable of creating hardened memory-safe applications. But even the top 1% of programmers can not create 100% memory-safe applications.

          "how much does it matter that unrelated code is written in "C/C++" It matters because the number of developers with this particular skillset is shrinking. The majority of programmers work with Java, .NET, and all the various client side scripting packages. The majority are not building the various engines and interpreters that they reference when building their applications.

      • by hcs_$reboot ( 1536101 ) on Friday August 30, 2019 @01:33PM (#59141746)

        > How the fuck is it possible to recieve malware on such scale by just visiting a website?

        Chained exploits, usually.

        Yeah but we are not talking running apps, we're talking about websites, containing pics, html, css and javascript. Would be interesting to know more about the exact method of hacking.

        • by ezdiy ( 2717051 ) on Monday September 02, 2019 @06:36AM (#59148566)

          Would be interesting to know more about the exact method of hacking.

          Same as jailbreakme. The starting vector is a browser sandbox escape. Usually it's not "infected website" as such (too loud). Targeted attacks tend to be far more subtle, such as a link shortener posted by somewhat popular, innocent (but compromised) user on twitter. This is greatly aided by things like link autoshortening on twitter - thus no suspicion raised when adversary injects their own url on same shortener.

          When other twitter users click such a thing, the link points to attacker controlled redirect which selectively 302s to correct target for everyone - except the target user (time of day, user agent, ISP). Using subtle attacks like this is crucial to keeping the weaponized 0day alive for some time.

      • by Malc ( 1751 ) on Friday August 30, 2019 @02:54PM (#59142024)

        It's usually a result of bad memory management which is endemic in C/C++ programming. Rust isn't a magic bullet, but watch for [...]

        ... the smug expressions to be replaced by terror when the 99% of Rust users who suffer from endemic complacency discover it too has vulnerabilities and they donâ(TM)t know how to cope or eat humble pie.

        • It's really funny how exploits against JavaScript engines (in web browsers) bring out the people saying "this wouldn't happen if only they used a memory-managed language..." as though JS gives access to raw pointers or something. What makes some people think their managed runtime of choice is going to be less vulnerable to memory corruption exploits than all the other managed language runtimes out there? Java (applets) and Flash were also both supposed to be managed-code runtimes that made it safe to run untrusted code, and we all know where that went...

          Yes, if the runtime is itself written in a memory-managed language then exploitation gets harder - you now need to find an additional vulnerability at the same time - but as GP (correctly) points out, it's quite common for multiple exploits to be chained together. That's not to say it's not a good idea anyhow, but it's not a panacea, and it has serious costs. Not just the usual concerns about performance and code size - although those matter, especially for mobile devices - but the simple fact that rewriting an entire OS, or even just half of an OS (the kernel and core user-mode functionality, or the user interface, application stack, and in-box applications), in *any* language is a major undertaking. Android and iOS (and for that matter, Maemo and Windows Phone and most other smartphone or PDA operating systems) were built on existing kernels and re-use a ton of existing code. Even the platforms that use purpose-built kernels have been revising those kernels for years, rather than throwing them out and building a new one (and everything on top of it) from scratch.

          At the end of the day, the code needs to run on the CPU, and the CPU doesn't understand high-level languages or managed memory. It understands loads and stores, branches and jumps (and maybe calls and returns, in a sufficiently CISC architecture), registers and offsets, page tables and system calls. No matter how safe the language you write the code in, the compiler / JIT / interpreter is going to have to translate that safe language into the fundamentally unsafe language that the CPU speaks, and that translation can have bugs.

          • by aberglas ( 991072 ) on Friday August 30, 2019 @11:04PM (#59143128)

            You are comparing apples to oranges. Are you saying that it would be a good idea to run untrusted apps in C?!!

            If the browser itself was written in Java then there would be far less exploits. And it might run 10% slower, who cares.

            The idiot thing is to run untrusted apps at all. One every single web site. You cannot see content without running their code.

            And HTML itself is an over engineered mess.

            It is not surprising that there are security flaws. What is surprising is that there are not many more of them.

            What is need is Secure HTML. A small subset that one could have some confidence in being safe.

            • by Narcocide ( 102829 ) on Sunday September 01, 2019 @02:02PM (#59146938) Homepage

              There are almost zero exploits in HTML itself. Most of them are a combination of JavaScript and CSS features that only incidentally leverage HTML. Without the JavaScript and CSS there would be almost no attack surface whatsoever on HTML. You would only need to remove from HTML a couple style-related tags and properties that are mostly deprecated now anyway.

      • by BitterOak ( 537666 ) on Friday August 30, 2019 @03:35PM (#59142164)

        Don't trust it for secure computing.

        Yeah, but with phones the issue isn't secure computing, but secure living. According to the article, with this hack in place the hacker had access to: all your location data, all your private communications, address books, photos, etc. Phones aren't for computing; they're for living. If you carry your phone around with you, as most people do, your complete location history is available to the hacker. Just imagine what people could learn about you that way.

      • by Joce640k ( 829181 ) on Monday September 02, 2019 @01:37AM (#59148220) Homepage

        It's usually a result of bad memory management which is endemic in C/C++ programming.

        It might be possible to do a secure smartphone with C/C++ using only the top 1% of programmers, but the other 99% seem to want jobs too.

        As soon as you write "C/C++" as a single word then you've already lost the argument.

        C and C++ are totally separate languages.

        In C++ this can throw an exception:

        std::vectormyArray(100);
        myArray[101] = 0;

        (and this is the default behavior in most modern C++ development systems, eg. Microsoft Visual Studio)

    • by Type44Q ( 1233630 ) on Friday August 30, 2019 @10:39AM (#59141106)
      Active scripts. Web pages haven't been limited to static HTML for a decade or two.
    • by AHuxley ( 892839 ) on Friday August 30, 2019 @10:40AM (#59141112) Journal
      1. Set up a company with a NSA and GCHQ level of math questions for new staff.
      2. Set the internet task for someone.
      3. Global results.

      If the NSA and GCHQ could do cyber for years why cant other people/nations/groups/faiths/brands find equally smart people?
      PRISM worked and nobody noticed/reported much.
    • by sectokia ( 3999401 ) on Saturday August 31, 2019 @05:27AM (#59143428)
      The details are here: https://googleprojectzero.blog... [blogspot.com] Basically a huge amount of object oriented stuff is system calls that are really buggy
  • by sinij ( 911942 ) on Friday August 30, 2019 @10:04AM (#59140968)
    This is such a massive compromise that make me think intentional backdoor or FUD from Google.
    • by MagicM ( 85041 ) on Friday August 30, 2019 @10:14AM (#59141010)

      I agree. A website was able to download someone's "Gmail database"? That seems improbable.

      Also important from the article:

      Google said it had reported the security issues to Apple on 1 February. Apple then released an operating system update which fixed the flaws on 7 February.

      • by MagicM ( 85041 ) on Friday August 30, 2019 @10:33AM (#59141080)

        After reading the original source linked from here, I retract my previous statement. Improbable, but possible, and fascinating.

      • by Monster_user ( 5075027 ) on Friday August 30, 2019 @10:44AM (#59141148)
        An exploit which can elevate access to "root" can do whatever it wants. GMail Databases are potentially what brought it to Google's attention. Google may have been investigating a potential security vulnerability in the GMail application and traced the vulnerability to frequented website by the affected user.

        Security is an art not a science. You protect against everything you can think of, and hope somebody thinks through the new features and updates added afterwards. The attackers then check behind you to see if you thought of everything...
      • by AmiMoJo ( 196126 ) on Friday August 30, 2019 @10:49AM (#59141158) Homepage Journal

        TFA says that it was able to get the user's keychain, which contains all their saved passwords and is likely enough to log in to Gmail in many cases. Or maybe they just got it through the browser, or stole the Mail app's database and the journalist put "Gmail" for some reason.

        While it's nice they fixed it, it was out there for years before they did. Who knows how many victims there were. Maybe all those celebrities who got hacked?

        • by BringsApples ( 3418089 ) on Friday August 30, 2019 @01:40PM (#59141762)

          Who knows how many victims there were.

          I do - everyone that has a smart-phone. All of them, mine too, are used half way for you, and half way for $others. Our information is bought and sold everyday, and without this portion of society, the money market would fold so much that the economy would probably collapse. Not to mention how many people would be out of a job.

          I find it odd that every time I read about another hack "...by simply going to a website..." they never tell us which website(s). When an app(s) is/are found to have been riddled with back-doors, they never tell us which app(s).

        • by aberglas ( 991072 ) on Friday August 30, 2019 @11:08PM (#59143134)

          That is what is unbelievable.

          That anyone could think that it was possible to implement a secure browser with so many points of attack.

          Nobody really understands all of HTML/JavaScript etc.

      • by DigitAl56K ( 805623 ) on Friday August 30, 2019 @11:15AM (#59141244)

        I agree. A website was able to download someone's "Gmail database"? That seems improbable.

        Improbable how? Do you not understand how these things work? Once you can grab the service access tokens you can go and pull down all the content just the same as an authenticated user can.

        What's "improbable" about it?

      • by minstrelmike ( 1602771 ) on Saturday August 31, 2019 @06:03PM (#59144848)
        They downloaded the gmail dbs from an iPhone, so it was how the dbs was stored by Apple, not by Google. If you don't use the APIs or don't trust them or the other company won't give them to you, then the workaround is a download of everything. Doh!
    • by Cmdln Daco ( 1183119 ) on Friday August 30, 2019 @10:25AM (#59141046)

      Form a circle, fingers in the ears. Begin chanting....

    • by AHuxley ( 892839 ) on Friday August 30, 2019 @10:43AM (#59141138) Journal
      NSA and GCHQ did that to global telcos and big trusted brands for years.
      The US and UK have a global monopoly on networked computers?
      If they could stay hidden? Not noticed? Not detected? No considered? No looked for? Not reported?
  • What websites? (Score:5, Interesting)

    by tomhath ( 637240 ) on Friday August 30, 2019 @10:07AM (#59140980)
    Odd that they don't mention the "hacked websites". Thousands of distinct visitors per seek makes me suspect these weren't mom&pop sites. Porn? China?
  • by lsllll ( 830002 ) on Friday August 30, 2019 @10:10AM (#59140992)
    I wonder now that this is out, whether the hackers will start posting politicians' compromised information online.
  • by Luthair ( 847766 ) on Friday August 30, 2019 @10:15AM (#59141014)
  • by Midnight Thunder ( 17205 ) on Friday August 30, 2019 @10:26AM (#59141050) Homepage Journal

    Given that Google creates Android and is also creating these reports, there does seem to be a possible conflict of interest? How often do these Google security reports document issues on Android devices?

  • by skids ( 119237 ) on Friday August 30, 2019 @10:39AM (#59141108) Homepage

    Remember the old saying "Don't put all your eggs in one basket?"

    s/eggs/credentials/; s/basket/place/;

  • by hraponssi ( 1939850 ) on Friday August 30, 2019 @10:43AM (#59141132)

    I am not a big fan of Google but it is nice for them to be putting efforts into Project Zero. This is the kind of thing that would be nice for government entities to be researching and addressing. Instead of only looking for ways to spy on everyone, at least look for the commonly used exploits and hacks targeting people, and address those. But no. Unless it is them, of course..

  • by harriscraft01 ( 6202704 ) on Friday August 30, 2019 @10:54AM (#59141168)
    Does anybody find this little fishy -- google releasing information about the hack - just weeks before new iPhone release?
  • by gweihir ( 88907 ) on Friday August 30, 2019 @11:09AM (#59141226)

    This is pretty much a statement of the nature of "our competitor's product sucks". Without convincing evidence that both their claim is correct and that their own product does not have the problem, this statement is completely worthless.

    • by Anonymous Coward on Friday August 30, 2019 @11:30AM (#59141302)
      Yeah, point taken. But what if it's true? Still matters. You can tell truth for wrong reasons without making it untrue.
    • by mikechant ( 729173 ) on Friday August 30, 2019 @12:07PM (#59141442)

      The 'convincing evidence' you require is right there in the article, as quoted in this comment: https://apple.slashdot.org/com... [slashdot.org] - that Apple released a patch *less than a week* after being notified by Google.
      Do you think that Apple would have done that if Google had identified a minor or theoretical issue?

      • by gweihir ( 88907 ) on Friday August 30, 2019 @05:56PM (#59142544)

        The 'convincing evidence' you require is right there - that Apple released a patch *less than a week* after being notified by Google.
        Do you think that Apple would have done that if Google had identified a minor or theoretical issue?

        Not convincing in the least. Apple could have prioritized this exactly because they expected a grande marketing claim by Google. And look, Google is making one.

    • by Anonymous Coward on Friday August 30, 2019 @02:21PM (#59141922)

      I do understand your desire for evidence of these claims (apparently you have to read the article for that, though - and This Is Slashdot so, well...) but I don't understand why you think the worth of the statement is dependent on the lack of such an exploit in other products.

      Like, if I say an apple is red, but I sell oranges, then apples aren't red? I don't get that logic. It just sounds like typical Apple fetishism and apologism.

  • by smooth wombat ( 796938 ) on Friday August 30, 2019 @11:34AM (#59141316) Journal
    when the phone was restarted, it was cleared from memory unless the user revisited a compromised site.

    How many people restart their phones? Since I don't have one of these "smart" phones, do updates require a restart? What other conditions would force the phone to restart?

    What about wiping your browser history and cache? Oh wait, people don't do that either.
    • by Monster_user ( 5075027 ) on Friday August 30, 2019 @11:39AM (#59141330)
      Updates require a restart, and a too low battery condition usually forces a shutdown. Those are the only two factors I have seen other than my own instinctual reboot.

      Many users don't even close open applications. Browsers with open tabs will remain open and consuming data until their user gets their monthly bill, and if they are on a strict data plan they might not even do anything about the browser then.
    • by CmdrPorno ( 115048 ) on Friday August 30, 2019 @02:46PM (#59142002)

      As noted, updates require a restart. As a daily user of a smartphone, I also find that something will start acting wonky at least once a week (without rhyme or reason, sometimes even on consecutive days), and I will force quit all apps and reboot the phone.

      Even when I had a dumb phone, the carriers sometimes requested a restart due to updated carrier settings, etc.

    • by AHuxley ( 892839 ) on Friday August 30, 2019 @08:15PM (#59142812) Journal
      Someone got the data sets they needed ie voice prints.

      Would a restart be part of a "repair" "fix" guide?
      Smart phone not as "quick", as responsive? Try a restart as the easy advice, then bring the smartphone in to an expert for more support?
      An interesting way to have the implant not be found if the user was about to seek advice by looking for a deeper problem?
      Start looking for an issue and the implant is gone.
  • by Malays Bowman ( 5436572 ) on Friday August 30, 2019 @12:01PM (#59141426)

    It's like a prison cell you are locked in. You have no freedom, but thugs from the street still walk in and beat you up.

    "But we are TRUSTWORTHY(R)(TM)(Pat. Pending)! We are your king and thus smarter and better than you!"

  • by WankerWeasel ( 875277 ) on Friday August 30, 2019 @12:05PM (#59141432)
    The team reported these findings to Apple in February, and Apple's release of iOS 12.1.4 that same month addressed the issues.
  • by DogDude ( 805747 ) on Friday August 30, 2019 @12:39PM (#59141538)
    Their location was uploaded every minute; their device's keychain, containing all their passwords, was uploaded, as were their chat histories on popular apps including WhatsApp, Telegram and iMessage, their address book, and their Gmail database.

    Google doesn't like the competition. That's their data!
  • by nospam007 ( 722110 ) * on Friday August 30, 2019 @02:08PM (#59141862)

    You keep using that word, I don't think it means what you think it means.

  • by tuppe666 ( 904118 ) on Friday August 30, 2019 @02:23PM (#59141926)

    Really is nobody thinking that having safari do the core rendering is not a problem on iOS. I love android because I can use Firefox.

    Apple being a monopolistic is a problem not just for developers and content providers, but it's users too.

    • by NoMoreACs ( 6161580 ) on Friday August 30, 2019 @09:51PM (#59142998)

      Apple doesnâ(TM)t insist upon Safari; it insists upon WebKit. And the reason is simple: Apple doesnâ(TM)t want to vet every single minor release of a dozen (or even a few) Web Stacks.

      Does WebKit have Exploits? Of course! But it would be all the worse with multiple libraries to keep track of.

      Donâ(TM)t like it? Then feel free to choose that other Platform; you know, the one with thousands of known exploits and nefarious apps, rather than the one that has 95% of the application envelope, but has only had a small handful of known vulnerabilities and nefarious apps over essentially the same period of time...

  • by mattyj ( 18900 ) on Friday August 30, 2019 @11:57PM (#59143192)

    ... that someone else is collecting all that valuable data and they're not.

  • by Margaret McGraw ( 6204836 ) on Saturday August 31, 2019 @01:24PM (#59144348)
    Iâ(TM)m thinking of going back to my beloved blackberry yeah I know it does have all the apps I use and likely donâ(TM)t need, but to my knowledge there are few to zero exploits.

The perversity of nature is nowhere better demonstrated by the fact that, when exposed to the same atmosphere, bread becomes hard while crackers become soft.

Working...