{ "id": "f86e8e26-218c-4e92-ac7f-a498f7986d38", "created_at": "2026-04-06T00:16:32.27565Z", "updated_at": "2026-04-10T03:20:32.280826Z", "deleted_at": null, "sha1_hash": "3e09525f3649a651aff83f19ee26415dc0a29c8d", "title": "A very deep dive into iOS Exploit chains found in the wild", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 41426, "plain_text": "A very deep dive into iOS Exploit chains found in the wild\r\nArchived: 2026-04-05 16:00:18 UTC\r\nPosted by Ian Beer, Project Zero\r\nProject Zero’s mission is to make 0-day hard. We often work with other companies to find and report security\r\nvulnerabilities, with the ultimate goal of advocating for structural security improvements in popular systems to\r\nhelp protect people everywhere.  \r\nEarlier this year Google's Threat Analysis Group (TAG) discovered a small collection of hacked websites. The\r\nhacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day.  \r\nThere was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack\r\nyour device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands\r\nof visitors per week.  \r\nTAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version\r\nfrom iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the\r\nusers of iPhones in certain communities over a period of at least two years.\r\nI’ll investigate what I assess to be the root causes of the vulnerabilities and discuss some insights we can gain into\r\nApple's software development lifecycle. The root causes I highlight here are not novel and are often overlooked:\r\nwe'll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing\r\nor review before being shipped to users.\r\nThis diagram shows a timeline from 13 September 2016 through 22 January 2019 and a breakdown during that\r\nperiod of which versions of iOS where supported by which exploit chain. The only gap appears between 12\r\nDecember 2016 and 27 March 2017. The iPhone 8, 8+ and X are supported from their launch version of iOS (iOS\r\n11) but the Xr and Xs aren't.\r\nWorking with TAG, we discovered exploits for a total of fourteen vulnerabilities across the five exploit chains:\r\nseven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes. Initial analysis\r\nindicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery\r\n(CVE-2019-7287 \u0026 CVE-2019-7286). We reported these issues to Apple with a 7-day deadline on 1 Feb 2019,\r\nwhich resulted in the out-of-band release of iOS 12.1.4 on 7 Feb 2019. We also shared the complete details with\r\nApple, which were disclosed publicly on 7 Feb 2019.\r\nhttps://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html\r\nPage 1 of 3\n\nNow, after several months of careful analysis of almost every byte of every one of the exploit chains, I’m ready to\r\nshare these insights into the real-world workings of a campaign exploiting iPhones en masse.\r\nThis post will include:\r\ndetailed write-ups of all five privilege escalation exploit chains;\r\na teardown of the implant used, including a demo of the implant running on my own devices, talking to a\r\nreverse-engineered command and control server and demonstrating the capabilities of the implant to steal\r\nprivate data like iMessages, photos and GPS location in real-time, and\r\nanalysis by fellow team member Samuel Groß on the browser exploits used as initial entry points.\r\nLet’s also keep in mind that this was a failure case for the attacker: for this one campaign that we’ve seen, there\r\nare almost certainly others that are yet to be seen.\r\nReal users make risk decisions based on the public perception of the security of these devices. The reality remains\r\nthat security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean\r\nsimply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be\r\nconscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as\r\nboth integral to their modern lives, yet also as devices which when compromised, can upload their every action\r\ninto a database to potentially be used against them.\r\nI hope to guide the general discussion around exploitation away from a focus on the the million dollar dissident\r\nand towards discussion of the marginal cost for monitoring the n+1'th potential future dissident. I shan't get into a\r\ndiscussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of\r\nthose price tags seem low for the capability to target and monitor the private activities of entire populations in real\r\ntime.\r\nI recommend that these posts are read in the following order:\r\n1.\r\n2.\r\n3.\r\n4.\r\n5.\r\n6.\r\n7.\r\nhttps://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html\r\nPage 2 of 3\n\nSource: https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html\r\nhttps://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html" ], "report_names": [ "a-very-deep-dive-into-ios-exploit.html" ], "threat_actors": [], "ts_created_at": 1775434592, "ts_updated_at": 1775791232, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3e09525f3649a651aff83f19ee26415dc0a29c8d.pdf", "text": "https://archive.orkl.eu/3e09525f3649a651aff83f19ee26415dc0a29c8d.txt", "img": "https://archive.orkl.eu/3e09525f3649a651aff83f19ee26415dc0a29c8d.jpg" } }