Google’s Project Zero team hasn’t been shy in accusing Apple of lax security practices or sneaky updates to its security advisories over the last year, most recently claiming that Apple sat on major iOS vulnerabilities that let hackers target China’s Uighur Muslim community. Apple returned fire in a rare statement today, accusing Google of creating a “false impression” to stoke fears of a widespread, extended compromise of iPhone security.
While the technical details of the vulnerabilities are complex, Google’s accusation was that exploits were found in iOS 10, 11, and 12, which “indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.” Project Zero didn’t name the targeted communities, but later reports identified them as primarily Uighur Muslims, a group that has been targeted by the Chinese government, as well as other users who might have inadvertently been drawn into the hacks.
Google’s latest allegations were especially unusual in that they came roughly a half year after the vulnerabilities were reported to Apple and addressed. Though there are often lags between the discovery of security exploits, their patching, and public disclosure, this particular set of exploits was addressed within 10 days of Project Zero’s contact with Apple — nowhere near as long as Apple has been accused of sitting on exploits in the past.
Apple’s statement today describes the attack as sophisticated but narrow in focus, affecting fewer than a dozen Uighur websites, and most likely active for roughly two months rather than two years. In other words, though the exploits might have impacted two years (and three generations) of iOS releases, the actual website attacks were far briefer in nature. As Apple explains:
Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
Most users shouldn’t be concerned about weaknesses in their iPhones, the company suggests. “iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software,” hinting at Google’s largely software-based work with Android, which leaves other companies to fine-tune Android hardware designs. “We will never stop our tireless work to keep our users safe.”
Though Project Zero’s blog post focused on vulnerabilities in iOS, it quickly emerged that Apple wasn’t the only company targeted by the attacks. Google’s own Android platform and Microsoft’s Windows had their own vulnerabilities, enabling attackers to gather device identification numbers, phone numbers, locations, usernames, and other private details from users who visited 11 different Uighur sites, including Turkistan TV, the Uighur Times, and the Turkistan Press. It’s unclear whether the hackers were officially Chinese state-sponsored or not, but China’s government has actively surveilled and persecuted the minority group for years, increasing the likelihood of at least unofficial government involvement in the hacks.