作者kyle5241 (Kyle Korver)
看板iOS
标题[情报]中国利用iphone 漏洞监控维吾尔族
时间Mon Sep 2 03:15:10 2019
情报来源:
https://www.inside.com.tw/article/17391-google-iphone-secretly-hacked
iPhone 最安全?Google:iPhone 早已被恶意网站入侵多年
以为拿 iPhone 就不用担心资安吗?Google 资安研究员发现,有不少恶意网站透过尚未
公开的软体漏洞悄悄入侵 iPhone,目前已有不知情受害者造访这些恶意网站数千次,时
间至少长达两年。
根据 TechCrunch 报导,Google 资安团队 Project Zero 日前发布一篇文章,指出骇客
先入侵这些网站,之後当 iPhone 使用者造访这些网站时,就会发送恶意软体,甚至在手
机里植入监控程式。
研究人员发现 5 个不同的漏洞利用链(exploit chain),从 iOS 10 到 iOS 12 版本都
有,这些利用链涉及了 12 种不同的安全漏洞。其中,有 7 个安全漏洞与 iPhone 内建
的网页浏览器 Safari 有关。
这 5 个攻击链让骇客拥有 iPhone 设备最高等级的「Root」权限,代表骇客可以在使用
者不知情、甚至不同意的情况下,悄悄在手机里安装恶意程式,并监视使用者的手机行为
。
他们可以做什麽事呢?骇客可以窃取使用者手机里的照片和讯息、跟踪手机目前的即时定
位资讯,甚至还能获取使用者在手机上储存的各个密码。
https://9to5mac.com/2019/09/01/china-iphone-attack-uyghur-muslims/
这些漏洞的可能使用者:
Report: China used iPhone website exploit attacks to target Uyghur Muslims
中国利用iphone的网路漏洞攻击维吾尔族
A few days ago, Google Project Zero security researchers detailed a chain of
malicious website exploits targeting iPhone users. Now, TechCrunch reports
that the Chinese government used these attacks to target Uyghur Muslims.
之前google 发现了iphone史上最大的漏洞,现在发生这是被中国用来锁定维吾尔族
Citing sources familiar with the matter, TechCrunch says that the malicious
websites used to hack into iPhones, first detailed by Google, were part of a
“state-backed attack,” likely from China, designed to “target the Uyghur
community in the country’s Xinjiang state.”
The report goes on to detail that according to United Nations data, Beijing
has detained “more than 1 million Uyghurs in internment camps” over the
last year.
Google researchers first explained that the victims were tricked into opening
a link which would direct them to an infected webpage. On that webpage, the
malware was deployed. The implant “primarily focused on stealing files and
uploading live location data,” as often as every 60 seconds. Because the end
device itself had been compromised, services like iMessage were also
affected, researchers said.
受害者只要按下连结就会跳到被感染的网页,那个网页会植入不良程式。接下来
这个程式每60秒就会传送你的位置和你的档案
When Google security researchers first detailed this attack, it was unclear
who it was specifically targeting. TechCrunch’s report now provides more
detail on that.
The websites were part of a campaign to target the religious group by
infecting an iPhone with malicious code simply by visiting a booby-trapped
web page. In gaining unfettered access to the iPhone’s software, an attacker
could read a victim’s messages, passwords, and track their location in
near-real time.
当iphone被感染了,它们就可以拥有你软体的权限,读你的讯息、密码和位置
The report adds that the websites in question would also infect non-Uyghurs
who happened to visit the infected website. The domains were indexed in
Google search results, which made it relatively easy for anyone to stumble
upon them.
当然这个网站是可以被google到的,所以这是个无差别攻击,所有人都会被监控
心得:
认为iphone很安全不会中毒而随便乱按网站的,还是不要乱按了~
之前以色列也这样监控别人的iphone
--
※ 发信站: 批踢踢实业坊(ptt.cc), 来自: 131.215.107.226 (美国)
※ 文章网址: https://webptt.com/cn.aspx?n=bbs/iOS/M.1567365313.A.3F9.html
※ kyle5241:转录至看板 MobileComm 09/02 03:16
1F:→ kouta: 蛤?中共还需要这麽麻烦监控维吾尔族? 09/02 06:34
2F:→ kouta: 维吾尔族的人拿爱疯多吗?蛤? 09/02 06:34
3F:→ kouta: 还要先让他们上那网站 而且重开机就失效!? 09/02 06:44
4F:→ cityport: 以为是大纪元 09/02 07:25
5F:嘘 Asbtt: 这边又不是卓二版。 09/02 07:28
6F:推 YIHE: 还是安卓最安全,监控都不用找漏洞。 09/02 08:07
7F:推 BABU1990: 人跟软体同时进行没什麽不好的吧,维稳是中共最在乎 09/02 08:36
8F:→ BABU1990: 的,不会省这个钱才对 09/02 08:36
9F:→ abcd11001100: 抓进去,货出来,集中营发大财 09/02 08:47
10F:→ nintenblo: 所以也就说是被害者自己手贱下载就中镖 09/02 09:14
11F:→ abram: 太恐怖 库克到底在干嘛 09/02 09:18
12F:推 skhan: 被JB了 09/02 09:57
13F:推 howiekuohr: 新疆的经济水平有办法人手一支iPhone 吗? 09/02 10:45
14F:→ shinmori: 中国为了监控维吾尔族,人人给iphone,真羡慕 09/02 12:05
15F:推 yftzeng: 库克在忙着骗钱啊 09/02 12:30
16F:嘘 cc5566cc: 三小 每个系统都会有漏洞 不检讨监控的人 反而检讨库克? 09/02 13:23
17F:→ cc5566cc: 超中的啦~ 09/02 13:23
18F:推 jatj: 水准啦,水什麽平... 09/02 13:50
19F:嘘 xiangbudao: 最安全是比较出来的 09/02 20:28
20F:→ Xperia: 果粉无视漏洞护航起来 09/02 21:38
21F:嘘 buyoption: 喔 是喔 09/03 08:28
22F:→ thomaschion: 自己一堆漏洞先去补好吧 09/03 23:24
23F:推 Qinsect: 如果某楼愿意让我监控我也可以送一只iphone给你啊 09/04 11:10
24F:推 yuinghoooo: 直接调资料就好啦 09/07 23:12