Apple Accuses Google of 'Stoking Fear' With iOS Bug ReportGoogle Says It Stands by the Research
Apple is criticizing recent Google research that describes an expansive iPhone hacking campaign, disputing the scope of the campaign and accusing Google of “stoking fear” among users of its products.
Apple confirmed that the hacking campaign targeted Uyghurs, an ethnic group in western China. But the company took issue with Google’s positioning of the incident, which came about six months after Apple fixed the software vulnerabilities Google found in iOS.
Google’s Aug. 29 blog post “creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised,” Apple says in its statement. “This was never the case.”
A Google spokesman says: “We stand by our in-depth research, which was written to focus on the technical aspects of these vulnerabilities.” The research was done by Google’s Project Zero team, which hunts software bugs.
"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies,” the company says. “We will continue to work with Apple and other leading companies to help keep people safe online.”
Alex Stamos, an adjunct professor at Stanford University who held top security roles at Facebook and Yahoo, writes on Twitter that Apple’s response to Google’s findings are tone-deaf and underplay the seriousness of the issues involved.
Even if we accept Apple's framing that exploiting Uyghurs isn't as big a deal as Google makes it out to be, they have no idea whether these exploits were used by the PRC in more targeted situations. Dismissing such a possibility out of hand is extremely risky.— Alex Stamos (@alexstamos) September 6, 2019
Google: Short on Important Details
Google’s Project Zero team, which hunts software vulnerabilities, found 14 flaws in iOS. Those flaws, some of which were zero days and had no patch, had been leveraged to create five exploit chains, or software compromises for iOS devices. The exploit chains allow for root access to iOS, opening the door for the installation of rogue code.
Those exploits were then embedded into websites, which Google didn’t name. Rather, Google characterized the sites as a “small collection” that had thousands of visitors per week.
If a vulnerable device visited one of the hacked sites, the website would deliver an exploit and an implant to a device. The implant could then monitor private messages, call histories, photos, GPS data and more.
Google says that “indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.”
While Google’s post described in great detail an alarming activity aimed at compromising many iOS devices, it didn’t describe the group that was targeted or the likely entity behind it.
Eventually, however, those details began to trickle out. TechCrunch and Forbes reported, citing anonymous sources, that iOS campaign was targeted at members of the Uyghur community. That left only one primary suspect behind the campaigns: China, which has been conducting a years long crackdown in the Xinjian Uyghur Autonomous Region.
‘En Masse’ Compromise
Apple took issue with other details in Google’s post, writing that the “website attacks were only operational for a brief period, roughly two months, not ‘two years’ as Google implies.”
The Google post, however, appears to imply only that the exploits had been continually developed for at least two years – when versions of iOS 10 were still in use – and not that the websites necessarily hosted the attack chains for that time period.
Apple also took issue with Google’s description that the attacks aimed at compromising iOS users “en masse.”
“First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described,” Apple writes. “The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.”
Such attacks are sometimes referred to as “watering hole” attacks in that anyone who visits a site is infected, the same as drinking from a poisoned well.
In a related development, last week the security firm Volexity says it observed a watering hole attack that targeted Android devices focused on Uyghur expatriates. The company found 11 websites between July and August that had been rigged to push Android malware that collected devices' information (see: iPhone Hacks May Be Linked to Broader China Spying).
The websites all cater to Uyghur news and issues and included the Uyghur Academy, Turkistan Press, Turkistan TV and Istiqlal Haber. The campaigns appear designed to spy on members of the Uyghur diaspora, as the websites are inaccessible inside China.
Volexity said it while it just had data on Android attacks, it is just as likely that the sites could have been leveraged to target Windows and Apple users. The company says it suspects two Chinese hacking groups carried out the attacks.