Apple is taking flak for disputing some minor details of last weeks bombshell report that, for at least two years, customers' iOS devices were vulnerable to a sting of zeroday exploits, at least some of which were actively exploited to install malware that stole location data, passwords, encryption keys, and a wealth of other highly sensitive data.
Googles Project Zero said the attacks were waged indiscriminately from a small collection of websites that “received thousands of visitors per week.” One of the five exploit chains Project Zero researchers analyzed showed they “were likely written contemporaneously with their supported iOS versions.” The researchers conclusion: “This group had a capability against a fully patched iPhone for at least two years.”
Earlier this week, researchers at security firm Volexity reported finding 11 websites serving the interests of Uyghur Muslims that the researchers believed were tied to the attacks Project Zero identified. Volexitys post was based in part on a report by TechCrunch citing unnamed people familiar with the attacks who said they were the work of nation—likely China—designed to target the Uyghur community in the countrys Xinjiang state.
Breaking the silence
For a week, Apple said nothing about any of the reports. Then on Friday, it issued a statement that critics are characterizing as tone-deaf for its lack of sensitivity to human rights and an overfocus on minor points. Apple officials wrote:
Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. Weve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.
First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
Googles post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as theyre found. We will never stop our tireless work to keep our users safe.
One of the things most deserving of criticism was the lack of sensitivity the statement showed for the Uyghur population, which over the past decade or longer has faced hacking campaigns, internment camps, and other forms of persecution at the hands of the Chinese government. Rather than condemning an egregious campaign perpetrated on a vulnerable population of iOS users, Apple seemed to be using the hacking spree to assure mainstream users that they werent targeted. Conspicuously missing from the statement was any mention of China.
Nicholas Weaver, a researcher at UC Berkeley's International Computer Science Institute, summed up much of this criticism by tweeting: “The thing that bugs me most about Apple these days is that they are all-in on the Chinese market and, as such, refuse to say something like A government intent on ethnic cleansing of a minority population conducted a mass hacking attack on our users."
The thing that bugs me most about Apple these days is that they are all-in on the Chinese market and, as such, refuse to say something like "A government intent on ethnic cleansing of a minority population conducted a mass hacking attack on our users." https://t.co/ACMhtpN53H
— Nicholas Weaver (@ncweaver) September 6, 2019
The statement also seemed to use the fact that “fewer than a dozen” sites were involved in the campaign as another mitigating factor. Project Zero was clear all along that the number of sites was “small” and they had only a few thousand of visitors each month. More importantly, the size of the campaign had everything to do with decisions made by the attackers and little or nothing to do with the security of iPhones.
Two months or two years?
One of the few factual assertions Apple provided in the statement is that the websites were probably operational for only about two months. A careful parsing of the Project Zero report shows researchers never stated how long the sites were actively and indiscriminately exploiting iPhone users. Rather, the report said, an examination of the five attack chains made up of 14 separate exploits suggested that they gave the hackers the ability to infect fully up-to-date iPhones for at least two years.
These points prompted satiric tweets similar to this one from Juan Andrés Guerrero-Saade, a researcher at Alphabet-owned security firm Chronicle: “It didnt happen the way they said it happened, but it happened, but it wasnt that bad, and its just Uyghurs so you shouldnt care anyways. No advice to give here. Just move along.”
Wow @apple…
It didnt happen the way they said it happened, but it happened, but it wasnt that bad, and its just Uyghurs so you shouldnt care anyways. No advice to give here. Just move along.
— J. A. Guerrero-Saade (@juanandres_gs) September 6, 2019
Satire aside, Apple seems to be saying that evidence suggests that the sites that Google found indiscriminately exploiting the iOS vulnerabilities were operational for only two months. Additionally, as reported by ZDNet, a researcher from security firm RiskIQ Read More – Source
