Earlier this month, in a dimly lit conference room in a swanky Las Vegas conference center, an Apple employee walked up on stage to pick up an award.
The ceremony was the Pwnie Awards, a largely tongue in cheek affair that celebrates the best—and in other ways the worst—hacks of the year. Winners receive a My Little Pony-style trophy, and get to reflect and joke about some of the pitfalls their product or company may have fallen into.
In this case, the Pwnie organizers highlighted a bug that allowed people to eavesdrop on others through Facetime. And when the Apple employee stood up, people seemed surprised. Apple certainly wouldn’t pick this up, they must have thought. (Traditionally, many winners or impacted companies don’t show up to the gala.)
“We’ll do better,” the employee, who did not identify themselves, said. The audience laughed.
Apple does take security and privacy very seriously; the iPhone is generally considered to be the most secure consumer device on the market. But after researchers from Google published details on likely the largest attack against iPhone users to date, in which websites with thousands of visitors a week were found to be infecting iPhones, it’s clear that this is one of the worst years for Apple’s security.
“This is going to follow Apple around for a long time,” Dan Guido, CEO and founder of cybersecurity firm Trail of Bits, which works on iOS, told Motherboard.
Do you work at a company selling these sorts of exploits? Do you work at Apple? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com.
Ian Beer from Google’s elite team of researchers called Project Zero revealed the broad and long running attack against iPhones in a blog post on Thursday. The exact contours of the attack are unclear, but Beer wrote that the campaign was “indiscriminate,” with victims being hacked just from visiting a website. The malware could then steal the contents of WhatsApp and other messages, track the phone’s location, and siphon a user’s passwords.
In all, Google found five distinct chains of iPhone exploits, compromising of a total of 14 vulnerabilities, the blog post added. Some of these were zero days at the time of discovery, meaning Apple was not aware of their underlying security issues, and hence had “zero days” to fix them.
“I shan’t get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time,” Beer wrote. Apple fixed the issues in February, the post added. (Earlier this month, Google researcher Natalie Silvanovich published another report on 10 attacks Project Zero discovered in iOS).
In previous documented cases, the use of iPhone exploits, and in particular zero days, has been against targeted individuals. A general understanding was that with iPhone attacks being so expensive, an attacker may not want to risk their techniques being discovered and fixed if deployed too widely. Ostensibly this latest attack flips that idea on its head due to its broader nature. Perhaps for this attacker financing such attacks is not a problem, or maybe they have another reliable source of iPhone exploits through their own country’s researchers.
And just earlier this month, Apple faced another serious security issue. With its release of iOS 12.4, Apple accidentally reintroduced a vulnerability that was fixed in 12.3. The bug, funnily enough, had also been discovered by a Google researcher. Because of this reborn bug, hackers released the first public jailbreak for iPhones in years, letting anyone open up their own phone, and potentially more sophisticated hackers break into others’. Apple issued an emergency patch for the issue about a week after the public jailbreak was released.
And the FaceTime bug, the one that the Apple employee picked up the Pwnie Award for, was particularly embarrassing because of the ease it could be exploited. Just by creating a group call, and inviting yourself to it, you could hear the audio from the iPhone or Mac of who you were calling without them needing to actually pick up. After multiple people, including Motherboard, were able to verify that the vulnerability existed, Apple temporarily closed down group FaceTime calls altogether, before issuing a proper fix just over a week later.
Apple’s approach of a walled garden for applications with iPhones only being able to run company-approved software, and overall security measures such as the Secure Enclave for storing cryptographic material have made the iPhone a generally hard-to-hack device. Full exploit chains to break into iPhones stretch into millions and millions of dollars each. At the annual Black Hat cybersecurity conference, Apple finally announced a formal bug bounty for its Mac computers, and the company is now going to provide select researchers with so-called dev-fused phones that are easier for experts to discover vulnerabilities on so they can be fixed.
But this year, Apple has made mistake after mistake, and its perception as the go-to secure device is starting to crack.
Subscribe to our new cybersecurity podcast, CYBER.