Google’s cyber security team has disclosed what it said were critical vulnerabilities in the iPhone, potentially allowing hackers to access millions of devices over the last two years.
Days after an emergency security patch was rushed out for the latest iPhone operating system (iOS), Google’s Project Zero has claimed that previous iOS versions were susceptible to major intrusions, in some cases letting hackers install “monitoring implants” on devices to steal sensitive information.
The security researchers found that a “collection of hacked websites” were used to exploit fourteen different vulnerabilities on iPhones running on iOS versions 10 through 12.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” wrote Project Zero’s Ian Beer in a detailed blog post.
We estimate that these sites receive thousands of visitors per week.
Beer added that the team’s findings indicate that a group of hackers made a “sustained effort” to breach iPhones over a two year period.
The monitoring implants gave hackers the ability to access everything from images and messages stored on an affected device, apps like Gmail, WhatsApp and Instagram, and highly sensitive information like banking logins and other passwords, potentially leaving customers open to serious identity theft.
While Apple did eventually patch the holes in its iOS update 12.1.4, for years customers were vulnerable to the intrusions, which could still affect users on older devices, or who have not updated their software.
Apple has not yet weighed in on the disclosures.