情報來源:
https://www.inside.com.tw/article/17391-google-iphone-secretly-hacked
iPhone 最安全?Google:iPhone 早已被惡意網站入侵多年
以為拿 iPhone 就不用擔心資安嗎?Google 資安研究員發現,有不少惡意網站透過尚未
公開的軟體漏洞悄悄入侵 iPhone,目前已有不知情受害者造訪這些惡意網站數千次,時
間至少長達兩年。
根據 TechCrunch 報導,Google 資安團隊 Project Zero 日前發佈一篇文章,指出駭客
先入侵這些網站,之後當 iPhone 使用者造訪這些網站時,就會發送惡意軟體,甚至在手
機裡植入監控程式。
研究人員發現 5 個不同的漏洞利用鏈(exploit chain),從 iOS 10 到 iOS 12 版本都
有,這些利用鏈涉及了 12 種不同的安全漏洞。其中,有 7 個安全漏洞與 iPhone 內建
的網頁瀏覽器 Safari 有關。
這 5 個攻擊鏈讓駭客擁有 iPhone 設備最高等級的「Root」權限,代表駭客可以在使用
者不知情、甚至不同意的情況下,悄悄在手機裡安裝惡意程式,並監視使用者的手機行為
。
他們可以做什麼事呢?駭客可以竊取使用者手機裡的照片和訊息、跟蹤手機目前的即時定
位資訊,甚至還能獲取使用者在手機上儲存的各個密碼。
https://9to5mac.com/2019/09/01/china-iphone-attack-uyghur-muslims/
這些漏洞的可能使用者:
Report: China used iPhone website exploit attacks to target Uyghur Muslims
中國利用iphone的網路漏洞攻擊維吾爾族
A few days ago, Google Project Zero security researchers detailed a chain of
malicious website exploits targeting iPhone users. Now, TechCrunch reports
that the Chinese government used these attacks to target Uyghur Muslims.
之前google 發現了iphone史上最大的漏洞,現在發生這是被中國用來鎖定維吾爾族
Citing sources familiar with the matter, TechCrunch says that the malicious
websites used to hack into iPhones, first detailed by Google, were part of a
“state-backed attack,” likely from China, designed to “target the Uyghur
community in the country’s Xinjiang state.”
The report goes on to detail that according to United Nations data, Beijing
has detained “more than 1 million Uyghurs in internment camps” over the
last year.
Google researchers first explained that the victims were tricked into opening
a link which would direct them to an infected webpage. On that webpage, the
malware was deployed. The implant “primarily focused on stealing files and
uploading live location data,” as often as every 60 seconds. Because the end
device itself had been compromised, services like iMessage were also
affected, researchers said.
受害者只要按下連結就會跳到被感染的網頁,那個網頁會植入不良程式。接下來
這個程式每60秒就會傳送你的位置和你的檔案
When Google security researchers first detailed this attack, it was unclear
who it was specifically targeting. TechCrunch’s report now provides more
detail on that.
The websites were part of a campaign to target the religious group by
infecting an iPhone with malicious code simply by visiting a booby-trapped
web page. In gaining unfettered access to the iPhone’s software, an attacker
could read a victim’s messages, passwords, and track their location in
near-real time.
當iphone被感染了,它們就可以擁有你軟體的權限,讀你的訊息、密碼和位置
The report adds that the websites in question would also infect non-Uyghurs
who happened to visit the infected website. The domains were indexed in
Google search results, which made it relatively easy for anyone to stumble
upon them.
當然這個網站是可以被google到的,所以這是個無差別攻擊,所有人都會被監控
心得:
認為iphone很安全不會中毒而隨便亂按網站的,還是不要亂按了~
之前以色列也這樣監控別人的iphone