Millions of iPhones at Risk: Major Hack Leaked!
A significant cybersecurity threat has emerged, putting potentially hundreds of millions of iPhone users at risk. Last week, researchers identified a sophisticated hacking campaign leveraging an advanced tool called DarkSword. Now, a newer version of DarkSword has been leaked and publicly released on the code-sharing platform GitHub, dramatically lowering the barrier to entry for malicious actors. This development poses a serious threat to users running older versions of Apple’s iOS, specifically those who haven’t updated to the latest iOS 26 software. Apple data suggests a substantial number of devices remain vulnerable, potentially impacting a massive user base.
The DarkSword Leak: A Critical Threat Landscape
The leak of DarkSword is being described as a “game changer” by security experts. Matthias Frielingsdorf, co-founder of mobile security startup iVerify, stated to GearTech, “This is bad. They are way too easy to repurpose. I don’t think that can be contained anymore. So we need to expect criminals and others to start deploying this.” The leaked files, consisting of simple HTML and JavaScript, can be quickly deployed by anyone with basic server administration skills, requiring minimal technical expertise.
How DarkSword Works: Exploiting Vulnerabilities
According to analysis by iVerify and Google, the new DarkSword versions share the same underlying infrastructure as previously analyzed iterations, albeit with slight modifications. The simplicity of the code allows for rapid deployment. “The exploits will work out of the box,” Frielingsdorf explained. “There is no iOS expertise required.” The leaked code contains comments detailing how the exploits function and how to implement them, further simplifying the process for potential attackers.
Specifically, the code is designed to “read and exfiltrate forensically-relevant files from iOS devices via HTTP,” meaning it steals sensitive data from iPhones and iPads and transmits it to attacker-controlled servers. The process involves injecting a payload into a process with filesystem access, enabling the malware to access and extract valuable information.
What Data is at Risk?
Once DarkSword gains access to a device, it can perform “post-exploitation activity,” including:
- Accessing contacts
- Reading messages
- Retrieving call history
- Dumping the iOS keychain (containing Wi-Fi passwords and other sensitive credentials)
This stolen data is then uploaded to a remote server. Interestingly, one file references uploading data to a Ukrainian apparel website, the reason for which remains unclear, but raises concerns given DarkSword’s alleged use by Russian government hackers against Ukrainian targets.
Affected Devices and iOS Versions
DarkSword specifically targets iPhones and iPads running iOS 18. Apple’s own data indicates that approximately one-quarter of all iPhone and iPad users are still operating on iOS 18 or earlier. With over 2.5 billion active Apple devices worldwide, this translates to potentially hundreds of millions of vulnerable devices. This makes the scale of the potential impact incredibly significant.
Apple’s Response and Mitigation Strategies
Apple spokesperson Sarah O’Rourke confirmed to GearTech that the company is aware of the exploit and issued an emergency update on March 11 for devices unable to run the latest iOS versions. “Keeping your software up to date is the single most important thing you can do to maintain the security of your Apple products,” O’Rourke emphasized. She also noted that devices running updated software are not at risk, and that Lockdown Mode provides an additional layer of protection against these specific attacks.
Lockdown Mode: A Powerful Security Feature
Lockdown Mode, introduced in iOS 16, is an extreme, optional protection for users who believe they may be personally targeted by sophisticated digital threats. It severely limits certain functionalities to reduce the attack surface, effectively blocking attacks like those leveraging DarkSword.
GitHub’s Role and the Broader Context
A spokesperson for Microsoft, which owns GitHub, has yet to comment on the situation. The presence of the leaked DarkSword code on GitHub highlights the challenges of controlling the spread of malicious tools in open-source environments. This incident follows the recent discovery of another advanced iPhone hacking toolkit, Coruna, originally developed by the defense contractor L3Harris.
The Rise of Nation-State Hacking Tools
The emergence of both DarkSword and Coruna underscores a growing trend: the proliferation of sophisticated hacking tools developed by governments and defense contractors. These tools, often designed for targeted surveillance, are increasingly finding their way into the hands of criminals and other malicious actors, expanding the potential for widespread harm.
Coruna: A Precursor to DarkSword
Coruna, developed by L3Harris’ Trenchant division, is a hacking toolkit used by the U.S. government and its allies. The leak of DarkSword, following closely on the heels of Coruna’s discovery, raises concerns about the security of these powerful tools and the potential for their misuse.
Protecting Yourself: Urgent Steps to Take
Given the severity of the threat, it is crucial for iPhone and iPad users to take immediate action:
- Update Your iOS: The most important step is to update your device to the latest available version of iOS.
- Enable Lockdown Mode: If you believe you may be a target of sophisticated attacks, consider enabling Lockdown Mode.
- Be Vigilant: Exercise caution when clicking on links or downloading attachments from unknown sources.
- Monitor Your Accounts: Regularly monitor your financial accounts and other sensitive information for any signs of unauthorized activity.
The Future of Mobile Security
The DarkSword leak serves as a stark reminder of the evolving threat landscape facing mobile devices. As hacking tools become more sophisticated and readily available, it is essential for Apple and other technology companies to prioritize security and provide users with robust protection mechanisms. Furthermore, increased collaboration between security researchers, government agencies, and the private sector is crucial to mitigating these risks and safeguarding the digital lives of millions of users. The incident also highlights the need for greater scrutiny and regulation of the development and distribution of offensive cybersecurity tools.
Resources for Further Information: