From: Jijesh A [mailto:[email protected]] Sent: Saturday, August 31, 2019 8:19 AM To: James Timony Subject: Google finds 'indiscriminate iPhone attack lasting years' - BBC News
https://www.bbc.com/news/amp/technology-49520355?__twitter_impression=true<https://www.bbc.noclick_com/news/amp/technology-49520355?__twitter_impression=true> Google finds 'indiscriminate iPhone attack lasting years' Getty Images [The attack affected all models of iPhone, up until the latest version, Google's team said] The attack affected all models of iPhone, up until the latest version, Google's team said Security researchers at Google have found evidence of a “sustained effort” to hack iPhones over a period of at least two years. The attack was said to be carried out using websites which would discreetly implant malicious software to gather contacts, images and other data. Google’s analysis suggested the booby-trapped websites were said to have been visited thousands of times per week. Apple told the BBC it did not wish to comment. The attack was shared in great detail in a series of technical posts<https://googleprojectzero.blogspot.noclick_com/2019/08/a-very-deep-dive-into-ios-exploit.html> written by British cybersecurity expert Ian Beer, a member of Project Zero, Google’s taskforce for finding new security vulnerabilities, known as zero days. "There was no target discrimination,” Mr Beer wrote. “Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant." Mr Beer and his team said they discovered attackers were using 12 separate security flaws in order to compromise devices. Most were bugs within Safari, the default web browser on Apple products. 'Sustained effort' Once on a person’s iPhone, the implant could access an enormous amount of data, including (though not limited to) contacts, images and GPS location data. It would relay this information back to an external server every 60 seconds, Mr Beer noted. The implant also was able to scoop up data from apps a person was using, such as Instagram, WhatsApp and Telegram. Mr Beer’s list of examples also included Google products such as Gmail and Hangouts, the firm's group video chat app. The attackers were able to exploit "almost every version from iOS 10 through to the latest version of iOS 12”, Mr Beer added. "This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.” Are you protected? Apple issued a software fix to address the flaw back in February. If you are an iPhone user, you should make sure your device is running the latest version of iOS, to make sure you are protected. To do this, go to Settings and tap General. Under 'Software Update' you should be running iOS 12.4.1. If you are not running iOS 12.4.1 you will be given the opportunity to update your device. Apple's fix Google’s team notified Apple of the vulnerabilities on 1 February this year. A patch was subsequently released<https://support.apple.noclick_com/en-us/HT209520> six days later to close the vulnerability. Apple’s patch notes refer to fixing an issue whereby “an application may be able to gain elevated privileges” and “an application may be able to execute arbitrary code with kernel privileges”. Tim Cook: "We are moving privacy protection forward" iPhone users should update their device to the latest software to make sure they are adequately protected. Unlike some security disclosures, which offer merely theoretical uses of vulnerabilities, Google discovered this attack “in the wild" - in other words, it was in use by cybercriminals. Mr Beer’s analysis did not speculate on who may be behind the attack, nor how lucrative the tool may have been on the black market. Some “zero day” attacks can be sold for several millions dollars - until they’re discovered and fixed. _____ Follow Dave Lee on Twitter @DaveLeeBBC<http://twitter.noclick_com/daveleebbc> Do you have more information about this or any other technology story? You can reach Dave directly and securely through encrypted messaging app Signal on: +1 (628) 400-7370 More on this story </news/technology-48950933> Apple Watch bug allowed iPhone eavesdropping</news/technology-48950933> 11 July 2019</news/technology-48950933> </news/world-us-canada-44477887> iPhone security loophole used by police closed by Apple</news/world-us-canada-44477887> 14 June 2018</news/world-us-canada-44477887> </news/technology-43001911> Apple confirms iPhone source code leak</news/technology-43001911> 09 February 2018</news/technology-43001911> ________________________________ Sent from my iPhone ________________________________ Caution: The Reserve Bank of India never sends mails, SMSs or makes calls asking for personal information such as your bank account details, passwords, etc. It never keeps or offers funds to anyone. Please do not respond in any manner to such offers, however official or attractive they may look. Notice: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this email by error, please notify us by return e-mail or telephone and immediately and permanently delete the message and any attachments. The recipient should check this email and any attachments for the presence of viruses. The Reserve Bank of India accepts no liability for any damage caused by any virus transmitted by this email. Search for old postings at: http://www.mail-archive.com/[email protected]/ To unsubscribe send a message to [email protected] with the subject unsubscribe. To change your subscription to digest mode or make any other changes, please visit the list home page at http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in Disclaimer: 1. Contents of the mails, factual, or otherwise, reflect the thinking of the person sending the mail and AI in no way relates itself to its veracity; 2. AI cannot be held liable for any commission/omission based on the mails sent through this mailing list..
