Apple disputes Google's accuracy on recent iOS hacks, and they may be right
What's Apple keeping under wraps?
Apple has published a statement today disputing some of the facts about a recent hacking campaign discovered by Google security researchers.
Apple's rebuttal targets a series of blog posts Project Zero, Google's elite security team, published on August 30.
The blog posts contained information about a coordinated campaign that used 14 vulnerabilities spread across five exploit chains to infect iOS users with malware when visiting specific sites.
Google said the campaign began in September 2016 and lasted until January 2018, when their staff discovered the malicious sites and reported the attacks to Apple, which then moved in to patch a zero-day abused in the hacks.
It was later reported that the campaign was the work of Chinese state-sponsored hackers, and was aimed at the Uighur Muslim population living in China and abroad. Another report also said that Android and Windows users were also targeted with malicious code planted on similar sites, also aimed at the same Uighuir minority.
But in its blog posts, Google didn't reveal the target of these attacks, and used broad terms to describe the hacks, which Apple now disputes.
Apple's rebuttal
"First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones 'en masse' as described," Apple said.
"The attack affected fewer than a dozen websites that focus on content related to the Uighur community."
"Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not 'two years' as Google implies," Apple said. "We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs."
The Cupertino-based company said iPhone customers reached out, concerned about their safety, because of Google's erroneous report.
And Apple isn't standing alone on these claims. Earlier this week, Yonathan Klijnsma, Head of Threat Research at RiskIQ, told ZDNet in a private conversation that the attacks were indeed very targeted, and that Google was wrong in its initial assessment. He later shared the same thoughts in a public tweet.
One thing misunderstood slightly is the scope of the P0 & @volexity published campaign(s). This watering hole wasn't for everyone. Injections were planted on sites visited by specific communities some with country filtering.
— Yonathan Klijnsma (@ydklijnsma) September 2, 2019
From Apr => Sept we only saw 166 payload requests f.e. pic.twitter.com/vSkDnQ6m27
In the tweet, he cited research published by cyber-security firm Volexity, which detailed a campaign similar to the one described by Apple, but that targeted Android users instead of iOS users.
Klijnsma said that telemetry data from RiskIQ's Passive Total platform showed that the payload targeting Android users triggered only 166 times, a meager number and far from being a mass-exploitation campaign, and was in tune with the attacks aimed at iOS users.
He also told ZDNet that the malicious code planted on the sites used in these attacks also contained filters. These filters would prevent the malicious code from running unless certain conditions were met. These conditions were strict, and prevented the code from running on the devices on random users.
Google stands by its research and researchers
In a statement sent to ZDNet, Google said it stands by its original research, despite Apple's rebuttal.
"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies," a Google spokesperson said. "We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities."
Furthermore, in the past week, Google has been lambasted by the cyber-security community for only disclosing details about the coordinated campaign targeting iOS users, but not the one that targeted Android devices.
However, Tim Willis, a Google Project Zero member said that this wasn't a sign of Google being duplicitous (and trying to sabotage a rival on the mobile OS market) but that Google researchers only saw the malicious code targeting iOS devices.
"[Google's Threat Analysis Group] only saw iOS exploitation on these sites when TAG found them back in Jan 2019," he said, "and yes, they looked for everything else as well."
... TAG *only* saw iOS exploitation on these sites when TAG found them back in Jan 2019 (and yes, they looked for everything else as well).
— Tim Willis (@itswillis) September 2, 2019
That said, anyone out there with full chain 0day in-the-wild from Android / Windows, feel free to reach out and we'd love to take a look!
Willis' assertment, made on September 2, was confirmed three hours later, when Volexity published its report about the hacking campaign targeting Android users, where the company confirmed there was no overlap between the Android and iOS campaigns.
The conclusion here is that Apple is right in calling out Google, at least on the first point -- that the campaign wasn't an en-mass hacking spree aimed at random iPhone users, but rather a very targeted operation.
Nevertheless, most of the cyber-security community also pointed out that Apple itself is pretentious because it failed to alert users when it learned of this hacking campaign back in February. Most tech companies clearly mark vulnerabilities that are under attack in security updates. But Apple has never done this, and it didn't mention back in February that some of the bugs it fixed were under active exploitation.
Yes, Google might have exaggerated its claims, but Apple isn't the victim here. The Uighur minority is, which Apple failed to protect.