It’s Almost Impossible to Tell if Your iPhone Has Been Hacked. A recent vulnerability in WhatsApp shows that there’s little defenders can do to detect and analyze iPhone hacks.
Hackers have been breaking into iPhones allegedly using a powerful spy tool sold to governments and taking advantage of a previously unknown vulnerability in the popular messaging app WhatsApp.
The hacking tool, as well as the WhatsApp exploit, were made by the infamous Israeli hacking and surveillance tool vendor NSO Group, according to The Financial Times, which first reported the story on Monday. WhatsApp found out about the flaw—and eventually patched it—after a victim got in touch with the digital security research group Citizen Lab, which in turn warned the Facebook-owned company.
The incident called into question the much vaunted security of the iPhone, a device considered by many to be the most secure consumer device on the planet. Some iOS security experts say this is yet another incident that shows iOS is so locked down it’s hard—if not impossible—to figure out if your own iPhone has been hacked.
“The simple reality is there are so many 0-day exploits for iOS,” Stefan Esser, a security researcher that specializes in iOS, wrote on Twitter. “And the only reason why just a few attacks have been caught in the wild is that iOS phones by design hinder defenders to inspect the phones.”
Have a tip about iPhone security? You can contact and report here.
As of today, there is no specific tool that an iPhone user can download to analyze their phone and figure out if it has been compromised. In 2016, Apple took down an app made by Esser that was specifically designed to detect malicious jailbreaks. Moreover, iOS is so locked down that without hacking or jailbreaking it first, even a talented security researcher can do very little analysis on it. That is why security researchers crave expensive iPhone prototypes that have security features disabled.
Claudio Guarnieri, a technologist at Amnesty International, who found that a colleague of his was targeted by NSO spyware last year, said that the “irony” is that there are better tools for attackers who want to do forensics on iOS—such as Cellebrite and GrayShift—than for defenders who want to help victims.
“These security controls have made mobile devices extremely difficult to inspect, especially remotely, and particularly for those of us working in human rights organizations lacking access to adequate forensics technology. Because of this, we are rarely able to confirm infections of those who we even already suspect being targeted,” Guarnieri wrote in a mailing list message. “Quite frankly, we are on the losing side of a disheartening asymmetry of capabilities that favors attackers over us, defenders.”
Apple did not respond to a request for comment.
It’s Almost Impossible to Tell if Your iPhone Has Been Hacked
Several iOS security researchers who spoke with Motherboard agree that the iPhone is too locked down for its own good. That makes it very hard for even experts to tell if a device has been compromised without jailbreaking it first, a feat that is not feasible for most users anymore.
“The bad guys will find a way in one way or another. Shouldn’t we enable the good guys to do their job?” said Zuk Avraham, a security researcher who studies iOS attacks, and who is the founder of ZecOps and Zimperium.
Avraham said that in the last few months he’s seen a lot of targeted attacks against iPhone users, so many that is “mind-blowing.” He declined to provide more evidence or details about the attacks, however.
Jonathan Levin, a researcher who has written books about iOS and macOS internals and security and provides training on iPhone security, said that in his opinion, so few iOS zero-days have been caught because they are worth a lot of money, and thus more likely to be used in targeted attacks.
“To exacerbate the situation, payloads are often tested and perfected for weeks or more before deployment, thus ensuring a high chance of exploitation, and, inversely, a low chance of detection—especially in the case of ‘0 click’ attacks requiring no user interaction,” Levin said.
But unless Apple makes fundamental changes in how iOS is architected, “there is no practical way to tell an iPhone got ‘infected,’” according to a security researcher who goes by the alias Xerub, and who is the organizer of 0x41, an iOS-focused conference.
A security researcher who has extensive experience developing exploits, who asked to remain anonymous because he didn’t want to openly criticize potential customers, said that the fundamental problem is that iOS is “a bug rich environment,” and that Apple’s strategy only works against “hobbyist attackers” but is “quite counterproductive against professional attackers.”
“Of all the mainstream operating systems kernels, you compare the Windows kernel to the Linux kernel to the OSX kernel and iOS kernel, iOS and OSX kernel is routinely the one with more disastrous bugs,” the security researcher said.
The result is that—for the vast majority of people—the iPhone is still a very secure device. But all software, be it a secure messaging app like WhatsApp, or an operating system like iOS, have vulnerabilities. And when those vulnerabilities are exploited on an iPhone, It’s Almost Impossible to Tell if Your iPhone Has Been Hacked.
USB O.MG cable opens Wi-Fi to remote attacks(Opens in a new browser tab)
Google admits it forgot to tell users about its hidden spy microphone(Opens in a new browser tab)
Where automotive cyber security is headed(Opens in a new browser tab)
Protect Your Site from Malicious Requests(Opens in a new browser tab)
IBM: Cybercriminals are moving on from ransomware to cryptojacking(Opens in a new browser tab)
Cyberattacks on Canada have already begun(Opens in a new browser tab)
iPhone Hacking Tool Used by FBI Up for Sale on eBay for $100(Opens in a new browser tab)
WordPress 5.2 finally gets the security features a third of the Internet deserves(Opens in a new browser tab)
Hacking Autonomous Vehicles: Is This Why We Don’t Have Self-Driving Cars Yet?(Opens in a new browser tab)
Cybersecurity burnout: 10 most stressful parts of the job(Opens in a new browser tab)
RBC customer out of pocket after fraud: What you need to know if you e-transfer money(Opens in a new browser tab)
Hackers breached 3 US antivirus companies, researchers reveal(Opens in a new browser tab)
A Cisco Router Bug Has Massive Global Implications(Opens in a new browser tab)
Windows 10 gets Arch Linux, one of the trickiest distros around(Opens in a new browser tab)
WhatsApp hacked after attackers install spyware on people’s phone(Opens in a new browser tab)
Grand theft consciousness: How quantum algorithms will backdoor human-level AI(Opens in a new browser tab)