Cybercrime , Cyberwarfare / Nation-State Attacks , Endpoint Security

Apple Accuses Google of 'Stoking Fear' With iOS Bug Report

Google Says It Stands by the Research
Apple Accuses Google of 'Stoking Fear' With iOS Bug Report
Google headquarters in Mountain View, California (Source: Wikimedia Commons/CC)

Apple is criticizing recent Google research that describes an expansive iPhone hacking campaign, disputing the scope of the campaign and accusing Google of “stoking fear” among users of its products.

See Also: Live Webinar | Adversary Analysis of Ransomware Trends

Apple confirmed that the hacking campaign targeted Uyghurs, an ethnic group in western China. But the company took issue with Google’s positioning of the incident, which came about six months after Apple fixed the software vulnerabilities Google found in iOS.

Google’s Aug. 29 blog post “creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised,” Apple says in its statement. “This was never the case.”

A Google spokesman says: “We stand by our in-depth research, which was written to focus on the technical aspects of these vulnerabilities.” The research was done by Google’s Project Zero team, which hunts software bugs.

"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies,” the company says. “We will continue to work with Apple and other leading companies to help keep people safe online.”

Alex Stamos, an adjunct professor at Stanford University who held top security roles at Facebook and Yahoo, writes on Twitter that Apple’s response to Google’s findings are tone-deaf and underplay the seriousness of the issues involved.

Google: Short on Important Details

Google’s Project Zero team, which hunts software vulnerabilities, found 14 flaws in iOS. Those flaws, some of which were zero days and had no patch, had been leveraged to create five exploit chains, or software compromises for iOS devices. The exploit chains allow for root access to iOS, opening the door for the installation of rogue code.

Those exploits were then embedded into websites, which Google didn’t name. Rather, Google characterized the sites as a “small collection” that had thousands of visitors per week.

If a vulnerable device visited one of the hacked sites, the website would deliver an exploit and an implant to a device. The implant could then monitor private messages, call histories, photos, GPS data and more.

A Google chart outlining the exploit chains and iOS devices affected (Source: Google Project Zero)

Google says that “indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.”

While Google’s post described in great detail an alarming activity aimed at compromising many iOS devices, it didn’t describe the group that was targeted or the likely entity behind it.

Eventually, however, those details began to trickle out. TechCrunch and Forbes reported, citing anonymous sources, that iOS campaign was targeted at members of the Uyghur community. That left only one primary suspect behind the campaigns: China, which has been conducting a years long crackdown in the Xinjian Uyghur Autonomous Region.

‘En Masse’ Compromise

Apple took issue with other details in Google’s post, writing that the “website attacks were only operational for a brief period, roughly two months, not ‘two years’ as Google implies.”

The Google post, however, appears to imply only that the exploits had been continually developed for at least two years – when versions of iOS 10 were still in use – and not that the websites necessarily hosted the attack chains for that time period.

Apple also took issue with Google’s description that the attacks aimed at compromising iOS users “en masse.”

“First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described,” Apple writes. “The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.”

Such attacks are sometimes referred to as “watering hole” attacks in that anyone who visits a site is infected, the same as drinking from a poisoned well.

In a related development, last week the security firm Volexity says it observed a watering hole attack that targeted Android devices focused on Uyghur expatriates. The company found 11 websites between July and August that had been rigged to push Android malware that collected devices' information (see: iPhone Hacks May Be Linked to Broader China Spying).

The websites all cater to Uyghur news and issues and included the Uyghur Academy, Turkistan Press, Turkistan TV and Istiqlal Haber. The campaigns appear designed to spy on members of the Uyghur diaspora, as the websites are inaccessible inside China.

Volexity said it while it just had data on Android attacks, it is just as likely that the sites could have been leveraged to target Windows and Apple users. The company says it suspects two Chinese hacking groups carried out the attacks.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.