It’s just over a week since Google’s Project Zero team scored big headlines by publishing the details of an attack against Apple’s iOS. Apple has now hit back. It has published a blog post that lists errors and problems with the claims. Taking the Apple blog at face value, the Project Zero announcement deliberately misrepresented the facts.
This is more than just a spat between two vendors. Apple is not alone in questioning the announcement. TechCrunch and Forbes both voiced concerns over the accuracy of the Project Zero post. TechCrunch was the first to fill in many of the missing gaps from the Project Zero analysis. It reported that the campaign was focused on targeting the Uyghur community. Because the websites distributing the attack were infecting anyone who visited, a TechCrunch source said the FBI asked Google to remove the one site from its index.
Forbes also expanded the story. It disclosed that it was not just iPhones that were the target of the attack. It reported that Google’s Android operating system and Microsoft Windows were also targeted. All the attacks sat on the same servers. This allowed the attackers to catch virtually anyone who visited the infected sites.
What is Apple contesting?
There are two things that Apple has responded to in its blog. The first is the focus of the attack. Depending on how you read the Project Zero report, it gives the impression that this is a major attack that should worry iPhone users everywhere. In fact, Ian Beer, Project Zero goes so far as to write: “All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”
Apple responded to this stating: “First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
“Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.”
The second issue is that of longevity. Was this an attack that took place for years or was it a shorter time period. Apple states: “Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.”
The omissions are just as serious
There are several omissions in the Project Zero report that are just as serious as the misperceptions it creates. The biggest of these is that were called out by both TechCrunch and Forbes. That is the attack surface was far wider than iPhones and included devices using Google’s Android operating system and Microsoft Windows. Forbes and TechCrunch were able to quickly source such evidence. It is hard to believe, therefore, that Project Zero did not see these other attacks given the time spent to detect the attacks on iOS.
At present, we have no breakdown as to how many of each device connected to the affected websites during the period the attack was alive. As such, it is impossible to say which OS was the most affected. This, again, comes back to one of the Project Zero misperceptions that this attack was just against Apple iOS devices.
Project Zero and Apple have both chosen to avoid listing the targets of the attacks or the websites involved. However, TechCrunch and Forbes have said that the attacks were against the Uyghur population. This is part of a long running campaign against that community that has resulted in previous attacks.
A report from security company Volexity details another attack against the same community. In its blog it says there are similarities between the Project Zero report and what it has seen.
This report also references attacks against Android and Gmail and names the websites that were being used. Volexity also names the group it believes is behind the attacks as a threat group it calls Evil Eye. The group is believed to be a Chinese state-sponsored hacking group. However, there is little detail on it or its activities outside of recent attacks against the Uyghur community.
Interestingly, both Apple and Google (Project Zero) have avoided pointing any finger at China. Apple and Project Zero knew which websites were affected and who used them. As such, it seems hard to believe that neither was aware that China or at least a Chinese state-sponsored actor was involved.
Apple still has issues to address
While Apple has responded to some of the Project Zero claims, there are other issues here that are serious for it. It states that it issued patches for the vulnerabilities in February, this was 10 days after it was notified. By any standards, that’s a quick response. However, it then failed to provide any detail of what the patches addressed.
However, the details of the attack and what it was able to access are of more concern. Those details are in Beer’s analysis of the attack, the Implant Teardown. It that blog, Beer details all the information that the attackers were able to access. Of concern is that Beer writes: “The implant has access to all the database files (on the victim’s phone) used by popular end-to-end encryption apps like Whatsapp, Telegram and iMessage.” He goes on to show the data that was accessible on infected devices.
Beer points out that the attackers gained access to the container directories of all third-party apps. In effect, it means that all data on the devices was accessible. As Beer states: “The implant has access to almost all of the personal information available on the device, which it is able to upload, unencrypted, to the attacker’s server.”
This is unlikely to be the last attack of its type against iOS or other operating systems such as Android or Windows. Attacks like these are attracting significant rewards. Vulnerabilities are purchased by private companies who sell them to governments who then hoard them. This was brought into focus last week when Zerodium released the details of its latest payouts for Android, iOS and Windows.
Enterprise Times: What does this mean?
No vendor wants to be outed with the suggestion that its products are a security breach. This, however, is much more than just a public spat between Apple and Google. The Project Zero team are among the most respected research teams in cybersecurity. The whole way this has played out is to throw doubt on their impartiality. This is a view that they will want to dispel immediately.
Apple could help in this regard. It does not have a great record of working with the cybersecurity industry. It makes it almost impossible for them to access details of malware on infected devices. If it changed that approach, researchers would be able to identify attacks sooner and help Apple deal with them. However, to do so would remove some of the mystery about how secure iOS really is.
For now, users should make sure that they patch their devices regularly to reduce the risk of attack.