Security Market Segment LS
Saturday, 07 September 2019 21:02

Apple issues message about iOS security post Google's 'deep dive'


After Google's very scary sounding Project Zero security report suggesting groups making a "sustained effort to hack the users of iPhones in certain communities over a period of at least two years", Apple has struck back.

On the 28th of August, Google's Project Zero division which finds and reports security vulnerabilities, issued a very detailed blog post entitled "A very deep dive into iOS Exploit chains found in the wild", but Apple has struck back with a pointed message.

UPDATE: Google has issued a statement to The Verge, responding to Apple's statement. Google's statement is at the end of this article. 

First, some background. Google noted its "Threat Analysis Group" or TAG team had "discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day".

Ian Beer of Project Zero continued, stating: "There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.

"TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.

"I’ll investigate what I assess to be the root causes of the vulnerabilities and discuss some insights we can gain into Apple's software development lifecycle. The root causes I highlight here are not novel and are often overlooked: we'll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users."

The rest of the analysis from Beer and Project Zero can be found here, which is definitely worth reading, but what did Apple have to say in response?

Well, a week later, Apple has issued a response entitled "A message about iOS security". 

Apple's statement is reprinted in full, below:

"Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.

"First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

"Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.

"Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

"Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they’re found. We will never stop our tireless work to keep our users safe."

So, Apple has responded at long last, and suggests things were nowhere near as dire as Google suggested, even though Apple did admit the website attacks were operational for roughly two months.

Let us hope that Apple, Google, Microsoft and others have quadrupled their efforts to proactively find these vulnerabilities and squash them as quickly and as definitively as possible.

These vulnerabilities are extremely serious and threaten the security and privacy of all users, especially when of the "zero day" variety where the Apples, Googles, Microsofts and others of the world can't protect their users from.

Of course, Google's Android is not immune to hackers by any means, nor is Microsoft, or Facebook and others, so the old adage about throwing stones in glass houses is apt for all players.

As former US President Ronald Reagan said, freedom is not passed down through the bloodline to every new generation, but must be fought for and preserved.

Ultimately, no device can be guaranteed to be completely 100% secure, ever, so it is a reminder of the fragility of security and privacy for us all, and how we must be the ones to pass freedom, security and privacy on to future generations - lest we be the ones to tell our grandchildren what it was once like to live in a world where freedom, security and privacy were taken for granted – but aren't any more.

We don't live in that particular future yet. Let us hope that we never do.

Update: Google issued a statement to The Verge:

"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online."



26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Alex Zaharov-Reutt

One of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.



Recent Comments