Apple doesn’t want Google ‘stoking fear’ about serious iOS security exploits
Apple has issued a tart response to an extensive report by Google of a serious security flaw in iOS. The flaw, which let an attacker gain root access to a device visiting a malicious website, was reported last week. Apple wants to “make sure all of our customers have the facts,” which is funny, because it’s likely we wouldn’t have any of the facts if Google had not so rigorously documented this issue.
In a brief news post, Apple says that it has heard concerns from its customers and wants to make sure they know they are not at risk.
The attack, Apple says, was “narrowly focused” and not an exploit “en masse.” “The attack affected fewer than a dozen websites that focus on content related to the Uighur community,” Apple wrote. TechCrunch was the first to report that Uighurs, an ethnic Muslim group in China currently receiving a great deal of oppression and abuse there, were the intended target of this attack. Apple’s letter confirms that report.
While it’s true that only a small number of websites were affected, Google said that those websites were visited thousands of times per week — and the attacks were active for about two months. Even a conservative estimate based on these numbers suggests more than a hundred thousand devices could easily have been probed and, if vulnerable, infected. If only 1 in 100 were iPhones, that would be root access to a thousand of the target population. That rock-bottom estimate already sounds pretty “en masse” to me.
Furthermore, while it may make the non-Uighurs among us feel better that we were not the targets of this campaign, it’s cold comfort as the targeted demographic could just as easily have been a political or religious institution we do take part in.
It is worth mentioning that campaigns targeting Android devices were not discussed and may very well have also been another side of the attack in question. No doubt researchers are looking into this possibility as well, since Android is more popular than iOS in these regions and it would make sense to target that platform as well.
Apple takes issue with Google’s suggestion that this offered “the capability to target and monitor the private activities of entire populations in real time.” This was, according to Apple, “stoking fear among all iPhone users that their devices had been compromised.”
Yet Google’s warning in this case seems relevant. An undetectable root exploit for current iPhones deployed via a website popular among a targeted population? That should stoke fear among all iPhone users, as it seems clear that they very well could have been compromised before now. After all, there’s no evidence this Uighur-targeted attack was the only one.
Apple points out that “when Google approached us, we were already in the process of fixing the exploited bugs.” That’s great. But who then wrote up a long technical discussion of the issue so that other security researchers, along with consumers, will be aware?
It’s a bit troubling for Apple to say that “iOS security is unmatched” during the discussion of an incredibly dangerous and powerful exploit that was apparently deployed successfully against an ethnic minority by, almost certainly, the only nation-state that has any interest in doing so. Has Apple explained to the Uighurs whose phones were invisibly and completely taken over by malicious software that it’s okay because “security is a never-ending journey”?
Had Google’s Project Zero researchers not documented this problem, we probably would never have heard about it except as an anonymous “security fixes” decimal point in our mobile operating systems.
“We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities,” Google said in a statement to TechCrunch. “We will continue to work with Apple and other leading companies to help keep people safe online.”
Journey or no journey, this was a serious security failure that appears to have been successfully and maliciously exploited in the wild. Apple’s sour grapes and defensive language are out of place here, and a mea culpa would have behooved the company better.