Apple criticized for insensitively downplaying Google's iOS vulnerability revelations
Apple has tried to downplay concerns raised by Google about security vulnerabilities in iOS that could be exploited by malicious websites. Google's Project Zero recently revealed details of flaws in iOS that were being used to target and monitor iPhone users.
Other security researchers went on to warn that the vulnerabilities were being used to target Uyghur Muslims, possibly in a campaign run by the Chinese government. Having remained silent for more than a week after the revelations, Apple finally issued a statement responding to the findings, prompting criticism that the company was trying to downplay the issues.
- Watch Apple's iPhone 11 launch on YouTube
- Brave browser accuses Google of using hidden web pages to track users
- Google security researcher warns that hackers are using malicious websites to exploit iOS flaws and monitor iPhone users
At the end of August Security researcher Ian Beer provided a detailed breakdown of a series of iOS exploits that have the "capability to target and monitor the private activities of entire populations in real time". He also said that the flaws identified were used in a "sustained effort to hack the users of iPhones in certain communities over a period of at least two years".
A few days later, it was suggested by security researchers from Volexity that the exploits were being used to monitor Uyghur Muslims in the Xinjiang Uyghur Autonomous Region (XUAR) in northwest China.
Apple issued a statement, posted on its website:
Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We've heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.
First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones "en masse" as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
Google's post, issued six months after iOS patches were released, creates the false impression of "mass exploitation" to "monitor the private activities of entire populations in real time," stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not "two years" as Google implies. We fixed the vulnerabilities in question in February -- working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they're found. We will never stop our tireless work to keep our users safe.
Following the statement, Apple was criticized for nit-picking and for failing to show sufficient sympathy and understanding to the Uyghur community. Google made a point of saying that the number of malicious sites detected was small, but Apple felt the need to highlight this in such a way as to make it seem as though the matter had been overstated.
Among those to lash out at the company were Motherboard journalist Joseph Cox and UC Berkeley's International Computer Science Institute researcher Nicholas Weaver:
The thing that bugs me most about Apple these days is that they are all-in on the Chinese market and, as such, refuse to say something like "A government intent on ethnic cleansing of a minority population conducted a mass hacking attack on our users." https://t.co/ACMhtpN53H
— Nicholas Weaver (@ncweaver) September 6, 2019
Joining the criticism was former Facebook security chief Alex Stamos who tweeted:
The use of multiple exploits against an oppressed minority in an authoritarian state makes the likely outcomes *worse* than the Huffington Post example a former Apple engineer posited. It is possible that this data contributed to real people being "reeducated" or even executed.
— Alex Stamos (@alexstamos) September 6, 2019
Even if we accept Apple's framing that exploiting Uyghurs isn't as big a deal as Google makes it out to be, they have no idea whether these exploits were used by the PRC in more targeted situations. Dismissing such a possibility out of hand is extremely risky.
— Alex Stamos (@alexstamos) September 6, 2019
Google issued a statement in response to Apple, saying:
Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.