In a rare move, Apple has released a statement to comment on the attacks on iPhone users revealed by Google last week.
Last week, Google dropped a bombshell in the form of a long, detailed analysis of five chains of iOS vulnerabilities discovered by its security teams. Google didn’t say who was behind the attacks, nor who was targeted, but described the attack as “indiscriminate,” and potentially hitting “thousands” of people.
Friday, Apple published a brief press release that disputes some relatively minor details that Google released about the attacks. Namely, that the attacks lasted for a shorter amount of time and that they were less widespread than Google reported.
“First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community.” Apple wrote. “Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.”
“Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies,” the statement continued.
Do you work at a company selling these sorts of exploits? Do you work at Apple? We'd love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com.
Clearly, Apple isn’t happy that Google—perhaps its fiercest competitor—discovered what is an embarrassing slew of attacks, and a dangerous example of what a country like China can do to go after an oppressed minority. Google's Project Zero has been a constant thorn in Apple's side, as it has discovered more zero-day exploits and bugs in iOS in recent years than any other entity. This, of course, is good for Apple's overall security and good for iPhone users as a whole, but the fact that Google continues to find and publish severe vulnerabilities in iOS has done damage to the perception that iPhone exploits are rare and that Apple's security team is infallible.
It’s not immediately clear whether the hack was as bad as Google said, but either way this is among the worst and most widespread security breaches in iOS history. Perhaps going after the company that caught the attacks and helped Apple patch the vulnerabilities, and dismissing the gravity and the dangers the attacks posed to an oppressed community is not the best approach in the wake of the worst documented attacks against users in the history of the iPhone.
Google responded to Apple with the following statement: "Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online."
A former Apple security employee criticized the company's reaction and its statement, saying it was misleading. For example, the former employee said, the fact that the the attack was narrowly focused "doesn’t say anything about the security of iOS, merely about the restraint of Chinese attackers."
"There was nothing keeping the Chinese from putting their exploit(s) in an advertising iframe and paying Huffington Post to serve it. They could easily have compromised tens of millions of iPhones, but chose not to. As a result, we didn’t find out about these attackers for years," the employee, who spoke on condition of anonymity, said.
This story has been updated to add Google's statement and the former Apple employee comments.
Subscribe to our new cybersecurity podcast, CYBER.