1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

Google unveils major iPhone security flaw

Lewis Sanders IV
August 30, 2019

The vulnerability had given attackers access to "almost all of the personal information" on the device. Researchers told DW that only "a very resourceful and determined actor" could execute such a sophisticated attack.

https://p.dw.com/p/3Om77
Man speaks into an iPhone
Image: picture-alliance/dpa/A. Heinl

Google researchers on Friday said a security vulnerability in iPhones gave attackers unbridled access to "almost all" personal data on targeted devices.

"There was no target discrimination," said Google's Project Zero team in a blog post. "Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant."

The vulnerability gave the implant widespread access to user data, including database files for popular apps such as WhatsApp and Apple's native iMessage, which implement end-to-end encryption.

The implant could also send location data of iPhones installed with Apple's latest mobile operating systems once every 60 seconds and access the user's Gmail account.

"The implant has access to almost all of the personal information available on the device, which it is able to upload, unencrypted, to the attacker's server," said Project Zero's Ian Beer, a white hat hacker and cybersecurity researcher.

Read more: Europe's cybersecurity gap threatens infrastructure, elections

Hacking for Germany

'Unprecedented' attack

The vulnerability took the cybersecurity world by surprise, in part because of Apple's longstanding image as a secure ecosystem.

Lukasz Olejnik, independent cybersecurity and privacy researcher, told DW that such a sophisticated attack could only be executed by "a very resourceful and determined actor."

"Any prolonged cyber operation targeting thousands of users and using multiple exploits, including zero-days, is unprecedented," said Olejnik, who is also a research associate at Oxford University's Center for Technology and Global Affairs.

"This case is even more important because it might be the first of its kind."

The Project Zero team said rebooting would remove the implant. However, it warned that the attacker could still have access to the user's accounts by using data it gleaned from the device, including passwords.

Read more: WhatsApp's security breach: Made in Israel, implemented worldwide

In Data We Trust — Founders' Valley (2/5)

Every evening, DW's editors send out a selection of the day's hard news and quality feature journalism. You can sign up to receive it directly here.