作者kyle5241 (Kyle Korver)
看板iOS
標題[情報]中國利用iphone 漏洞監控維吾爾族
時間Mon Sep 2 03:15:10 2019
情報來源:
https://www.inside.com.tw/article/17391-google-iphone-secretly-hacked
iPhone 最安全?Google:iPhone 早已被惡意網站入侵多年
以為拿 iPhone 就不用擔心資安嗎?Google 資安研究員發現,有不少惡意網站透過尚未
公開的軟體漏洞悄悄入侵 iPhone,目前已有不知情受害者造訪這些惡意網站數千次,時
間至少長達兩年。
根據 TechCrunch 報導,Google 資安團隊 Project Zero 日前發佈一篇文章,指出駭客
先入侵這些網站,之後當 iPhone 使用者造訪這些網站時,就會發送惡意軟體,甚至在手
機裡植入監控程式。
研究人員發現 5 個不同的漏洞利用鏈(exploit chain),從 iOS 10 到 iOS 12 版本都
有,這些利用鏈涉及了 12 種不同的安全漏洞。其中,有 7 個安全漏洞與 iPhone 內建
的網頁瀏覽器 Safari 有關。
這 5 個攻擊鏈讓駭客擁有 iPhone 設備最高等級的「Root」權限,代表駭客可以在使用
者不知情、甚至不同意的情況下,悄悄在手機裡安裝惡意程式,並監視使用者的手機行為
。
他們可以做什麼事呢?駭客可以竊取使用者手機裡的照片和訊息、跟蹤手機目前的即時定
位資訊,甚至還能獲取使用者在手機上儲存的各個密碼。
https://9to5mac.com/2019/09/01/china-iphone-attack-uyghur-muslims/
這些漏洞的可能使用者:
Report: China used iPhone website exploit attacks to target Uyghur Muslims
中國利用iphone的網路漏洞攻擊維吾爾族
A few days ago, Google Project Zero security researchers detailed a chain of
malicious website exploits targeting iPhone users. Now, TechCrunch reports
that the Chinese government used these attacks to target Uyghur Muslims.
之前google 發現了iphone史上最大的漏洞,現在發生這是被中國用來鎖定維吾爾族
Citing sources familiar with the matter, TechCrunch says that the malicious
websites used to hack into iPhones, first detailed by Google, were part of a
“state-backed attack,” likely from China, designed to “target the Uyghur
community in the country’s Xinjiang state.”
The report goes on to detail that according to United Nations data, Beijing
has detained “more than 1 million Uyghurs in internment camps” over the
last year.
Google researchers first explained that the victims were tricked into opening
a link which would direct them to an infected webpage. On that webpage, the
malware was deployed. The implant “primarily focused on stealing files and
uploading live location data,” as often as every 60 seconds. Because the end
device itself had been compromised, services like iMessage were also
affected, researchers said.
受害者只要按下連結就會跳到被感染的網頁,那個網頁會植入不良程式。接下來
這個程式每60秒就會傳送你的位置和你的檔案
When Google security researchers first detailed this attack, it was unclear
who it was specifically targeting. TechCrunch’s report now provides more
detail on that.
The websites were part of a campaign to target the religious group by
infecting an iPhone with malicious code simply by visiting a booby-trapped
web page. In gaining unfettered access to the iPhone’s software, an attacker
could read a victim’s messages, passwords, and track their location in
near-real time.
當iphone被感染了,它們就可以擁有你軟體的權限,讀你的訊息、密碼和位置
The report adds that the websites in question would also infect non-Uyghurs
who happened to visit the infected website. The domains were indexed in
Google search results, which made it relatively easy for anyone to stumble
upon them.
當然這個網站是可以被google到的,所以這是個無差別攻擊,所有人都會被監控
心得:
認為iphone很安全不會中毒而隨便亂按網站的,還是不要亂按了~
之前以色列也這樣監控別人的iphone
--
※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 131.215.107.226 (美國)
※ 文章網址: https://webptt.com/m.aspx?n=bbs/iOS/M.1567365313.A.3F9.html
※ kyle5241:轉錄至看板 MobileComm 09/02 03:16
1F:→ kouta: 蛤?中共還需要這麼麻煩監控維吾爾族? 09/02 06:34
2F:→ kouta: 維吾爾族的人拿愛瘋多嗎?蛤? 09/02 06:34
3F:→ kouta: 還要先讓他們上那網站 而且重開機就失效!? 09/02 06:44
4F:→ cityport: 以為是大紀元 09/02 07:25
5F:噓 Asbtt: 這邊又不是卓二版。 09/02 07:28
6F:推 YIHE: 還是安卓最安全,監控都不用找漏洞。 09/02 08:07
7F:推 BABU1990: 人跟軟體同時進行沒什麼不好的吧,維穩是中共最在乎 09/02 08:36
8F:→ BABU1990: 的,不會省這個錢才對 09/02 08:36
9F:→ abcd11001100: 抓進去,貨出來,集中營發大財 09/02 08:47
10F:→ nintenblo: 所以也就說是被害者自己手賤下載就中鏢 09/02 09:14
11F:→ abram: 太恐怖 庫克到底在幹嘛 09/02 09:18
12F:推 skhan: 被JB了 09/02 09:57
13F:推 howiekuohr: 新疆的經濟水平有辦法人手一支iPhone 嗎? 09/02 10:45
14F:→ shinmori: 中國為了監控維吾爾族,人人給iphone,真羨慕 09/02 12:05
15F:推 yftzeng: 庫克在忙著騙錢啊 09/02 12:30
16F:噓 cc5566cc: 三小 每個系統都會有漏洞 不檢討監控的人 反而檢討庫克? 09/02 13:23
17F:→ cc5566cc: 超中的啦~ 09/02 13:23
18F:推 jatj: 水準啦,水什麼平... 09/02 13:50
19F:噓 xiangbudao: 最安全是比較出來的 09/02 20:28
20F:→ Xperia: 果粉無視漏洞護航起來 09/02 21:38
21F:噓 buyoption: 喔 是喔 09/03 08:28
22F:→ thomaschion: 自己一堆漏洞先去補好吧 09/03 23:24
23F:推 Qinsect: 如果某樓願意讓我監控我也可以送一隻iphone給你啊 09/04 11:10
24F:推 yuinghoooo: 直接調資料就好啦 09/07 23:12