Google’s Project Zero security team has revealed a vulnerability in iOS that exposed large numbers of users to a hack that allowed the installation of a monitoring implant.
This kind of hack is called ‘zero-day’, the definitions of which vary, but which refers to a vulnerability in a piece of software that leaves it open to exploitation by outside actors. The stated aim of Project Zero is to make zero-day hard and it goes about doing so by trying to find such vulnerabilities. Apparently it always publishes these findings after giving the owner of the software time to address the vulnerability and Apple was told about this one back at the start of February this year.
“Now, after several months of careful analysis of almost every byte of every one of the exploit chains, I’m ready to share these insights into the real-world workings of a campaign exploiting iPhones en masse,” wrote Ian Beer of Project Zero in the blog post detailing the findings. “Let’s also keep in mind that this was a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”
This is at best very embarrassing for Apple, which prides itself on the relative lack of malware on its close software platforms. The malware was able to install itself on iOS devices if they merely visited an infected website, with no manual download required. Upon successful installation the malware apparently granted the bad guys access to everything on the phone, including passwords, chat histories, etc.
Google is, of course, Apple’s sole rival in the mobile operating system space, so it does seem pretty convenient that it should be discovering iOS vulnerabilities and publicising them. Project Zero’s policy, it seems, is to publish all such findings after an appropriate delay to allow for patching, which it should be stressed Apple did immediately, but you have to wonder whether it’s quite as keen to bring Android’s failings into the public domain.