Researchers say Websites infected iPhones with spyware


Associated Press

Suspected nation-state hackers used malware-laden websites to infect iPhones with spyware in what security researchers are calling the worst general security failure yet affecting the Apple devices.

Announced late Thursday by Google researchers, the vulnerabilities were quietly fixed by Apple in February but only after thousands of iPhone users were believed exposed over more than two years.

The researchers did not say who was behind the cyberespionage or what population was targeted but experts said the operation had the hallmarks of a nation-state effort.

Sensitive data accessed by the spyware included WhatsApp, iMessage and Telegram text messages, Gmail, photos, contacts and real-time location – essentially all the databases on the victim’s phone. While the messaging applications may encrypt data in transit, it is readable at rest on iPhones.

“This is definitely the most serious iPhone hacking incident that’s ever been brought to public attention, both because of the indiscriminate targeting and the amount of data compromised by the implant,” said former U.S. government hacker Jake Williams, the president of Rendition Security.

Google researcher Ian Beer said in a blog that the discovery should dispel any notion that it costs a million dollars to successfully hack an iPhone.

Apple did not immediately respond to a request for comment on why it did not detect the vulnerabilities on its own and if it can assure users that such a general attack could not happen again. Privacy assurance is central to the Apple brand.