※ [本文转录自 iOS 看板 #1TR1Z1Fv ]
作者: kyle5241 (Kyle Korver) 看板: iOS
标题: [情报]中国利用iphone 漏洞监控维吾尔族
时间: Mon Sep 2 03:15:10 2019
情报来源:
https://www.inside.com.tw/article/17391-google-iphone-secretly-hacked
iPhone 最安全?Google:iPhone 早已被恶意网站入侵多年
以为拿 iPhone 就不用担心资安吗?Google 资安研究员发现,有不少恶意网站透过尚未
公开的软件漏洞悄悄入侵 iPhone,目前已有不知情受害者造访这些恶意网站数千次,时
间至少长达两年。
根据 TechCrunch 报导,Google 资安团队 Project Zero 日前发布一篇文章,指出骇客
先入侵这些网站,之后当 iPhone 使用者造访这些网站时,就会发送恶意软件,甚至在手
机里植入监控程式。
研究人员发现 5 个不同的漏洞利用链(exploit chain),从 iOS 10 到 iOS 12 版本都
有,这些利用链涉及了 12 种不同的安全漏洞。其中,有 7 个安全漏洞与 iPhone 内建
的网页浏览器 Safari 有关。
这 5 个攻击链让骇客拥有 iPhone 设备最高等级的“Root”权限,代表骇客可以在使用
者不知情、甚至不同意的情况下,悄悄在手机里安装恶意程式,并监视使用者的手机行为
。
他们可以做什么事呢?骇客可以窃取使用者手机里的照片和讯息、跟踪手机目前的即时定
位资讯,甚至还能获取使用者在手机上储存的各个密码。
https://9to5mac.com/2019/09/01/china-iphone-attack-uyghur-muslims/
这些漏洞的可能使用者:
Report: China used iPhone website exploit attacks to target Uyghur Muslims
中国利用iphone的网络漏洞攻击维吾尔族
A few days ago, Google Project Zero security researchers detailed a chain of
malicious website exploits targeting iPhone users. Now, TechCrunch reports
that the Chinese government used these attacks to target Uyghur Muslims.
之前google 发现了iphone史上最大的漏洞,现在发生这是被中国用来锁定维吾尔族
Citing sources familiar with the matter, TechCrunch says that the malicious
websites used to hack into iPhones, first detailed by Google, were part of a
“state-backed attack,” likely from China, designed to “target the Uyghur
community in the country’s Xinjiang state.”
The report goes on to detail that according to United Nations data, Beijing
has detained “more than 1 million Uyghurs in internment camps” over the
last year.
Google researchers first explained that the victims were tricked into opening
a link which would direct them to an infected webpage. On that webpage, the
malware was deployed. The implant “primarily focused on stealing files and
uploading live location data,” as often as every 60 seconds. Because the end
device itself had been compromised, services like iMessage were also
affected, researchers said.
受害者只要按下连结就会跳到被感染的网页,那个网页会植入不良程式。接下来
这个程式每60秒就会传送你的位置和你的档案
When Google security researchers first detailed this attack, it was unclear
who it was specifically targeting. TechCrunch’s report now provides more
detail on that.
The websites were part of a campaign to target the religious group by
infecting an iPhone with malicious code simply by visiting a booby-trapped
web page. In gaining unfettered access to the iPhone’s software, an attacker
could read a victim’s messages, passwords, and track their location in
near-real time.
当iphone被感染了,它们就可以拥有你软件的权限,读你的讯息、密码和位置
The report adds that the websites in question would also infect non-Uyghurs
who happened to visit the infected website. The domains were indexed in
Google search results, which made it relatively easy for anyone to stumble
upon them.
当然这个网站是可以被google到的,所以这是个无差别攻击,所有人都会被监控
心得:
认为iphone很安全不会中毒而随便乱按网站的,还是不要乱按了~
之前以色列也这样监控别人的iphone