Anyone who visited a hacked site was compromised.
Through a massive, multi-year effort, hackers obtained access to iPhone users’ passwords, chat histories, and even their locations — and all they had to do was compromise a handful of websites and wait for users to visit them.
The iPhone hacking effort ran for two and a half years, researchers from Google’s Project Zero wrote in a blog post published on Thursday. And while the hackers lost access to an iPhone if a user restarted the device, they could regain it if that person visited one of the compromised sites again.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” Project Zero wrote. “We estimate that these sites receive thousands of visitors per week.”
The New Normal
Project Zero reported the iPhone hacking to Apple in February 2019. One week later, Apple released an operating system update that fixed the 14 bugs exploited by the attack — but while that update may have put an end to this hacking effort, Project Zero researcher Ian Beer suspects it probably wasn’t wholly unique.
“For this one campaign that we’ve seen, there are almost certainly others that are yet to be seen,” he told The Guardian.
“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly,” he continued, “treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”
READ MORE: Google says hackers have put ‘monitoring implants’ in iPhones for years [The Guardian]
More on hacking: This Evil Charging Cable Will Infect Your Computer With a Virus