Written by Jeff Stone
Apple doesn’t like what Google has been saying about Apple.
The iPhone-maker released a surprise statement on Friday refuting assertions from Google’s Project Zero researchers, who last week revealed how hackers had exploited five chains of iOS vulnerabilities to spy on “thousands” of users.
The high-profile report by Google did not identify the victims, but claimed those targeted were vulnerable for years if they simply visited an infected website. In its response, Apple described the attack as “narrowly focused,” rather than the kind of “en masse” targeting described by the Project Zero researchers.
Apple confirmed that the hacking activity was aimed at the Uighur community, a Muslim population under mass surveillance by the Chinese government, and said the campaign involved fewer than a dozen websites. Apple said the attacks were “only operational” for two months, rather than two years. The statement takes issue with the scope and volume of Google’s findings, but does not delve into the possible geopolitical implications.
“Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised,” Apple said. “This was never the case.”
The Project Zero team on Aug. 29 explained how attackers could use breached websites to infect iOS devices, then access key aspects of the operating system to covertly install malicious apps, monitor a user’s location or monitor communications sent via encrypted messaging apps like iMessage or WhatsApp, among others. Days after the findings were made public researchers from security firm Volexity said they also had found a similar campaign that leveraged Android devices to target Uighur supporters outside China.
Chinese officials in recent years have forced millions of Uighurs, an ethnic minority, into mass detention camps. Beijing also has deployed advanced facial recognition systems, police checkpoints, and experimental predictive crime technology against the population, which resides mostly in the Xinjiang region of China.
Tough to catch
Friday’s statement comes after a week of discussion throughout the security community over whether iOS devices are worthy of their reputation. Apple products often have been described as having a higher level of security than their competitors because iOS offers a closed system, giving Apple more control to fend off hackers and push through security updates, than Android devices. This week, following the Project Zero announcement, the exploit broker Zerodium announced the value of iOS hacking techniques had fallen in value because of their relatively wide availability.
It’s just not clear whether Google’s Project Zero team, a respected group with a long track record of successful research into Apple, or Apple itself is correct about the severity of this apparent espionage campaign, which has been blamed on Chinese hackers.
But that it happened at all is enough reason for concern, independent researchers have said. Patrick Wardle, a former U.S. National Security Agency employee who now probes Apple products as the principal security researcher at Jamf, told CyberScoop that access to an iPhone represents a “gold mine” for hackers. Thanks to Apple’s closed system, which limits visibility into what’s happening on any individual device, it’s also difficult for outside security practitioners to assess whether malicious processes are transmitting sensitive data, such as location information, back to hackers.
“I’m a fairly competent Apple researcher, and I have no idea if my phone is hacked,” Wardle said.
That’s hardly reassuring for anyone apparently affected by this attack.