Late last month, security researchers with Google’s Project Zero published a report suggesting that a collection of hacked websites had been exploiting security flaws in iOS devices for at least two years, going back to iOS 10.
The report was kind of a big deal as it revealed evidence of the first major non-targeted iPhone attack — an exploit that could result in your iPhone (or iPad) being hacked simply by visiting a compromised website that contained malicious code.
Although the report did acknowledge that the last of the vulnerabilities had been closed off when Apple released iOS 12.1.4 back in February, the tone of the report, which focused almost entirely on the iOS platform, and the way in which it was reported by others, caused some alarm among iPhone users.
As a result, Apple has issued a statement — something that company seems to be doing much more proactively these days — clarifying the researchers’ results and challenging them on the way in which they presented the report, specifically calling them out on “stoking fear” among users of Apple devices.
Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Apple notes that it has heard from customers who “were concerned by some of the claims” so it wants to make sure that it sets the record straight with all of the facts.
Apple notes that the attack in question was “narrowly focused” and not nearly as widespread as Google’s report implied. Although Google never disclosed how many compromised websites were involved in the attack, other than to say it was “a small collection,” later reports revealed that it seems to have been targeted at the Uighur ethnic community in China, a group that has long been the target of surveillance by the Chinese government.
Rather than the “mass exploitation” that Google implied, Apple reveals that the actual attack involved “fewer than a dozen websites,” all of which focused on content that would have been directly related to that community. In other words, while the attack wasn’t “targeted” from a technical point of view — it didn’t require an attacker to do something specific like sending a message to an individual user’s iPhone — it was still targeted at a very specific community in a very specific geographical area (although Apple very pointedly fails to mention China in its own statement).
Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
Of course, this doesn’t mean that Apple is dismissive of the attack or the exploit involved, but it definitely wants to make sure its users know that it wasn’t just a global fishing expedition indiscriminately going after random iPhone users, as Google’s Project Zero researchers implied.
Two Months, Not Two Years
The report by the Project Zero team also implied that the attack had been going on for up to two years, based on the fact that it took advantage of exploits found from iOS 10 through iOS 12.1.3 — operating systems that were current from September 2016 to February 2018.
According to Apple, however, “all evidence” suggests the reality is that the specific website attacks were actually only in place for a brief period of time — roughly two months. Apple also claims that it resolved the issue 10 days after learning about it, and was in fact already in the process of fixing it when Google’s Project Zero researchers reported it to them, which seems to have been three days after Apple had otherwise been made aware of it; Apple doesn’t indicate how the security flaw came to its attention, only that it wasn’t news to them when Google’s researchers informed them of it.
Of course, from the perspective of the security researchers, the existence of the vulnerabilities means it’s possible that other attacks existed prior to that, and it would be irresponsible for them to suggest otherwise, but it seems nobody has found evidence that anybody took advantage of these vulnerabilities prior to some version of iOS 12, and it seems likely that nobody even knew about them before that time. It’s also worth noting that of the fourteen exploits that researchers identified, all but two of them had already been patched long before iOS 12.1.4 came out in February.
Not Just iPhones
Although Apple doesn’t mention this particular point in its own statement, it also appears that Google’s Project Zero researchers may have been disingenuous in suggesting that the attack only affected iPhone users.
As Forbes reported earlier this month, both Android and Windows users were also affected — something that’s not at all surprising as it would be extremely unusual to find an attack that would solely target the considerably more secure iOS platform. This is true not only from a technical perspective — Android and Windows exploits are even easier to find — but also simply that a surveillance attack on a specific target group would want to encompass all of the hardware and software platforms that group is likely to be using, and not just iPhones.
To be fair to the researchers, however, Android and Windows exploits are much more common and therefore considerably less interesting from a technical point of view than exploits found in Apple’s iOS operating system, so it’s sort of understandable why they would focus more on that even for simple scientific reasons, but it’s also clear that Google’s report didn’t paint the whole picture. A source familiar with the situation also told Forbes that Google has only observed the iOS exploits being served from the sites, and researchers were therefore unaware that Android and Windows devices were also being targeted.
What This Means
This particular issue is really a tempest in a teapot, however. Even Google’s researchers admitted that the flaws had all been fixed at least six months ago, so anybody running iOS 12.1.4 or later simply isn’t vulnerable to this specific attack. Further, it’s important to keep in mind that Google’s Project Zero report was a scientific analysis of how these exploits were found and how they work, and to be fair was probably never intended to generate the kind of hype that it ultimately did.
Still, this issue is an important reminder that you can’t connect a device to the internet and expect it to be absolutely impervious to hackers. Apple does a really great job at making your iPhone as secure as it possibly can, but with a mobile operating system as complicated as iOS, it’s inevitable that some things are going to slip through the cracks from time to time.
Apple has proven in the past that it’s quick to fix these problems, so the real message to take away from all of this is that you should always keep your iPhone and iPad up to date. We frequently encounter friends and family who are nervous about updates for fear of “breaking something” but it’s far better to risk a minor (and rare) UI or performance bug than to leave your device — and your personal information — vulnerable to malicious hackers.