In a rare move, Apple has released a statement to comment on the attacks on iPhone users revealed by Google last week.
Last week, Google dropped a bombshell in the form of a long, detailed analysis of five chains of iOS vulnerabilities discovered by its security teams. Google didn’t say who was behind the attacks, nor who was targeted, but described the attack as “indiscriminate,” and potentially hitting “thousands” of people.
Friday, Apple published a brief press release that disputes some relatively minor details that Google released about the attacks. Namely, that the attacks lasted for a shorter amount of time and that they were less widespread than Google reported.
“First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community.” Apple wrote. “Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.”
“Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies,” the statement continued.
Do you work at a company selling these sorts of exploits? Do you work at Apple? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org.
Clearly, Apple isn’t happy that Google—perhaps its fiercest competitor—discovered what is an embarrassing slew of attacks, and a dangerous example of what a country like China can do to go after an oppressed minority. Google’s Project Zero has been a constant thorn in Apple’s side, as it has discovered more zero-day exploits and bugs in iOS in recent years than any other entity. This, of course, is good for Apple’s overall security and good for iPhone users as a whole, but the fact that Google continues to find and publish severe vulnerabilities in iOS has done damage to the perception that iPhone exploits are rare and that Apple’s security team is infallible.
It’s not immediately clear whether the hack was as bad as Google said, but either way this is among the worst and most widespread security breaches in iOS history. Perhaps going after the company that caught the attacks and helped Apple patch the vulnerabilities, and dismissing the gravity and the dangers the attacks posed to an oppressed community is not the best approach in the wake of the worst documented attacks against users in the history of the iPhone.
Subscribe to our new cybersecurity podcast, CYBER.