Apple Finally Breaks Its Silence on iOS Hacking Campaign
Credit to Author: Lily Hay Newman| Date: Fri, 06 Sep 2019 19:12:36 +0000
In its first public statement since Google revealed a sophisticated attack against iOS devices, Apple defended its security measures.
Late last Thursday, Google security researchers dropped a bombshell: Someone had launched a sustained attack against iPhone users that compromised their devices almost instantly when they visited certain websites. The campaign forced a fundamental shift in how security professionals think about iOS. And now, after a week of silence, Apple has finally given its side of the story.
In a brief statement, Apple confirmed that the attacks had targeted China's oppressed Uyghur Muslim community, as had previously been reported. But the statement also called out multiple points of contention with how Google characterized the attack.
"First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones 'en masse' as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community," the statement reads. "Google’s post, issued six months after iOS patches were released, creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised. This was never the case."
The company also disputed aspects of Google's timeline, saying that the malicious sites were operational for two months, rather than the roughly two years Google had estimated. Apple's statement also says that it had already discovered the vulnerabilities a few days before Google brought them to Apple's attention. "We were already in the process of fixing the exploited bugs," Apple says. The eventual patch went out on February 7 as part of the iOS 12.1.4 update.
Attackers were using numerous valuable iOS exploits with abandon.
Apple did not, however, dispute the specifics of how the campaign worked. Researchers from Google's elite Project Zero security group identified five different exploit strategies the malicious sites could use to compromise iPhones running almost every version of iOS 10 through iOS 12. The sites, which had thousands of visitors per week, would assess victim devices and then infect them, if possible, with powerful monitoring malware. The attackers reportedly targeted Microsoft Windows and Android devices as well.
The Apple statement also doesn't contravene the central significance of the attacks. Security experts have long assumed that iPhone hacks primarily target very specific, high-value victims, because iOS vulnerabilities that can provide such deep system access to attackers are too rare and prized to risk revealing in mass campaigns. In this situation, though, attackers were using numerous valuable iOS exploits with abandon, shifting that established paradigm.
"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies," wrote a Google spokesperson in response to Apple's statement. "We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online."
As Project Zero laid out last week, the malicious sites took advantage of 14 vulnerabilities across five distinct exploit chains, a series of steps that exploit bugs sequentially to gain deeper and deeper access. Google's researchers found that the attackers focused on defeating the protections surrounding key, often-attacked areas of iOS. Seven of the bugs related to Apple's Safari browser. Five vulnerabilities were in the kernel, the operating system's core code. And the hackers exploited two distinct "sandbox escape" vulnerabilities, used to defeat protections against apps from interacting with other programs or data.

When compromised, the malware could steal user files, access their iOS Keychains—which store passwords and other sensitive data—and monitor live location data. It requested new instructions remotely from a command and control server every 60 seconds. With such deep system access, the attackers could also potentially read or listen to communications sent through encrypted messaging services, like iMessage or Signal, because these programs still decrypt data on the sender's and receiver's devices. Attackers may have even grabbed access tokens that could be used to log into services like social media and communication accounts.
In the process of apparently attempting to downplay the issue as isolated to the Uyghur community, Apple's statement glosses over the unprecedented surveillance the group has had to endure in China for years. And the fact that the attacks targeted a specific group, rather than iOS customers on a larger scale, doesn't change the fact that such a broad campaign took place to begin with.
"We have a nation-state actor burning zero-days to target an entire community instead of one individual," says Cooper Quintin, security researcher at the nonprofit advocacy group Electronic Frontier Foundation. "In this case it’s a community that, especially in the last couple of years, has been the target of the full force of oppression, surveillance, and imprisonment that the Chinese government can muster."
"Security is a never-ending journey and our customers can be confident we are working for them," Apple's statement reads. "iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software."
But even beyond this hacking campaign, Apple has run into increasing security issues in recent years. In August, Google researchers detailed several so-called interactionless attacks that could break into an iPhone just by sending a text. And other high-profile security gaffes from the company have started to establish a pattern that dates back to at least 2017.
Apple products are still more than secure enough for most people's needs, and it's laudable that Apple patched these vulnerabilities so quickly once it found them. But the stakes of acknowledging and addressing these issues are incredibly high—even if you consider attacks aimed at a community of 11 million people to be a "narrowly focused" threat.