According to cybersecurity researcher and Project Zero member, Ian Beer, the attackers don’t need to choose their targets as any visitors will be vulnerable to the attack when they visit the website. If the phone is successfully compromised, it will install a monitoring implant discreetly into the victim’s iPhone. Additionally, researchers were able to conclude that the exploit seems to affect iPhones running from iOS 10 to the most current iOS 12. The software was said to have sent contacts, images, live GPS location and other data to the hacker’s server through 60-second intervals.
The implant was also capable of stealing data from certain apps based on their own references. Even worse, it was discovered that the malicious software is capable of intercepting encrypted data from apps such as Whatsapp and Telegram and transfer it into their servers. If the phone is restarted then the implant is rendered inactive until the device is exploited again when the user visits the malicious site. Nonetheless, sensitive information has already been snooped out of the phone from the first attack.
It should also be noted that the exploit allows attackers to gain root access to an iPhone which allows the implanting process to take place quietly. As Apple is not aware of the exploit, it was classified as a zero-day exploit. Ultimately, Google’s researchers notified Apple of the vulnerabilities back on 1 February. Six days later, Apple released a security patch in iOS 12.1.4 update; far less days than the typical 90 days given to software developers. On that note, we recommend iPhone users keep their device as up to date as possible to minimize security risks. (Source: BBC, Project Zero Blog via Techcrunch, Image: Getty Images)