Apple Downplays iPhone Security Issue

Posted on September 6, 2019 by Paul Thurrott in Apple, Google, iOS, Mobile with 47 Comments

Last week, Google security researchers said that they had discovered a two-year-long vulnerability in Apple’s iPhones. Today, Apple claimed that Google overstated the nature of the resulting attack and that it timed its revelations to undermine sales of the next iPhones.

According to researchers at Google’s Project Zero, who look for zero-day vulnerabilities, hackers exploited 14 different software flaws in iOS, 7 of which specifically targeted Safari, to install malware and access various iPhone features, including passwords, iMessage conversations, and GPS data. The vulnerabilities had been exploited for months, they said, and targeted a small number of websites.

But as it turns out, Apple disagrees with many of these points. And it challenges both the content and the timing of the Google revelations.

“The sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described [by Google],” an Apple statement explains. “The attack affected fewer than a dozen websites that focus on content related to the Uighur community [only].”

Google’s blog post, Apple says, was issued six months after Apple released patches to fix the flaw. “[This] creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real-time,’ stoking fear among all iPhone users that their devices had been compromised. This was never the case,” Apple added.

“All evidence indicates that these website attacks were only operational for a brief period, roughly two months, not ‘two years’ as Google implies,” Apple continued. “We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.”

Worst of all, perhaps, Google Project Zero suddenly went public with information about the months-old flaws on the same day that Apple announced its September 10 iPhone event. Did Google time this revelation purposefully to undermine the new iPhones? It’s a good question.

 

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (47)

47 responses to “Apple Downplays iPhone Security Issue”

  1. Avatar

    Ben Lee

    It's an extremly arrogant and dissmissive response from Apple. Dismissing who it's targetting and what the targeting could of led too. The details were release around infosec security confrence season as the white hats who discovered the explots presented there findings to the community. The details also took months to research after being discovered. It was a professional and targeted attack, suspected by the PRC, on the Rohingya people or anyone trying to support and assist them. It does really show Apple's true colours in stark light though.

    • Avatar

      Ben Lee

      In reply to Ben Lee:

      Alex Stamos sums it up nicely in his re-written verson.


      https://twitter.com/alexstamos/status/1170076262078939136


    • Avatar

      jwpear

      In reply to Ben Lee:

      Is it arrogant? Maybe. Maybe not. I have a hard time believing Google's motivation for this is purely to protect the innocent people of the world. They stand to gain from uncertainty about products that compete with them. The response authored by Alex Stamos is marketing fluff to me. It doesn't feel genuine. In fact, the tone, especially referring to Google as colleagues, feels more arrogant to me.

      • Avatar

        Ben Lee

        In reply to jwpear:

        That's a miss understaing of the security industry, most you speak with feel anyone in the industry is a college rather than a competitor. I agree Stamos alternate is marketing fluff too, though I feel he was tryiong to represent Apple's language.

    • Avatar

      jimchamplin

      In reply to Ben Lee:

      It's neither arrogant or dismissive.


      Google acted in bad faith by "reporting" on an already-closed hole in such a hyped up way. Misrepresenting the time frame and turning the hyperbole up even one notch turns it into even more obvious theater. Apple has every right to slap back at Google for what they did.


      Realize that you're defending Google turning security research and reporting literally into clickbait.

      • Avatar

        wright_is

        In reply to jimchamplin:

        I agree that Google's actions are suspect and not in accordance with their own reporting guidelines.

        But, on the other hand, it is also a poor show on Apple to say that it only affected a politically repressed minority and it isn't worth talking about.

        A security hole is a security hole. Trying to push it under the carpet as not worth mentioning, because it only affected a few repressed people is disgusting.

        If they had just said that it was a chain of serious bugs had been patched 6 months ago and as far as can be seen, it had only be used in a targeted, state sponsored attack and the general iPhone population were not targeted, that would be fine.

        To try and quash the whole thing as not worth reporting at all is wrong and robs them of the justification of pointing out Google could have used it for political timing. They could have come out looking like they had been wronged by Google, but they managed to turn that around to look like a petulant child trying to cover up their own guilt.

        Both parties are equally bad here.

        • Avatar

          sandy

          In reply to wright_is:

          Just because Google only found a few sites exploiting these serious bugs doesn't mean there may not have been some others exploiting it in similarly targeted ways.


          On the timing of Google's announcement; let's not assume malice when incompetence is equally possible.

          Much as I dislike Google, Project Zero generally do excellent work which helps everyone on the Internet, so despite them not always sticking to their 90-day limit (e.g. bugs in Google products compared to a recent example with a Microsoft bug, and 6 months for Spectre/Meltdown), I'll give them the benefit of the doubt as to whether it was deliberately timed shortly ahead of Apple's event vs they scheduled it for security conference season, or they didn't fully document everything before their (northern) summer holidays, or just forgot to announce details months ago.

          As to the suggestion of Google exaggerating this, I didn't get that from the coverage I've seen & heard; it seemed clear that Apple had fixed at least one exploit required in February so it wasn't a risk since then.

          Apple shouldn't downplay this; they can't have it both ways by claiming to be the most secure yet have a tantrum when embarrassed like this. (And as others have said no software is perfect.)

      • Avatar

        Ben Lee

        In reply to jimchamplin:

        Google did not turn this into clickbait. They released a highly technical description of the exploit chain. Have you read the blog post by Projext Zero? it is anything but clickbait.

        • Avatar

          wright_is

          In reply to Ben Lee:

          Yes, but you have to ask why they ignored their own guidelines and released this 6 months after they normally would have... In the past they have been all to happy to release the details after 90 days, even if the company working on the patches needs an extra couple of days or weeks to get the patch tested and released. Now, for some reason, they have ignored their own 90 day deadline and have waited ~180 days after the patch was released.

  2. Avatar

    joinncc.online

    You're Right. But you're also entertaining a false equivalence. Isn't it a bit disingenuous to blame Google for Samsung's irresponsibility?


  3. Avatar

    wocowboy

    Trying to create a stir on the day an event was announced for the launch of new devices while not following the usual protocol of giving a certain number of days for Apple to react and patch the flaws is shady conduct no matter how you look at it. The extremely narrow nature of the exploit and its deployment, plus the fact that these flaws were patched months ago within days of their disclosure, makes this very much a non-issue and a tempest in a teapot. Yes, these OS's have flaws, that's nothing new, and they are for sale everywhere and new ones are found every single day. There evidently is nothing that can be done about it other than being diligent in evaluating and patching them. It doesn't matter whether it's Google, Microsoft, or Apple.

    • Avatar

      wright_is

      In reply to wocowboy:

      Erm, the flaws were already patched... 6 months ago...

      Usually Google announce the issue at the same time the manufacturer patches, or after 90 days if the manufacturer doesn't respond or is slow to bring out a patch. That is what is different here, they waited 6 months, instead of the usual 3, which is odd. They don't usually miss an opportunity to blow their own trumpet as soon as possible.

      I think Apple is getting in a tizzey about nothing, but it certainly seems that Google broke their own 90 day rule for political reasons.

      Although it did come just as the securtiy conferences wound down. Something like this should have been a headliner at DefCon, for example, not an afterthought.

      • Avatar

        wocowboy

        In reply to wright_is:
        Right, these flaws were patched a long time ago. The normal procedure I was talking about is the one where when a security flaw is found, the party who finds the flaw informs the company with the flaw and they have something like 30 days to fix it before the discoverer can make it public. (I heard what this time frame is but do not remember the exact number of days is.) In this case, Google found the flaw way back earlier in the year, but only gave Apple a week or two before they threatened to make it public. And now Google came out with this new statement in September, many months after the flaw was originally found, and fixed. This was deliberately designed to cause the most embarrassment and stress for Apple instead of giving them the normal amount of time to fix the problem. This tactic has been used before, it's nothing new, but it does not excuse Google from using it.


        • Avatar

          wright_is

          In reply to wocowboy:

          Normally it is 90 days. If the company releases the patches sooner, Google Zero Day will usually announce their findings early. If the company is late, GZD will still, usually, release the information after 90 days.

          They have waited something approaching 180 since Apple released the patches, as I said above. That certainly looks dodgy.

          But Apple playing hurt and trying to say it was only a vulnerable community that was targeted doesn't help their case either.

  4. Avatar

    dontbeevil

    but but apple security is the best ... they were just lucky because of low market share, more market share for them, more security flaws for everybody, will be fun

  5. Avatar

    arthemis

    Well, i can belive that about Google. The 90-ish Microsoft resurrected in our time. Is there something that company do that doesnt smell of dickiness?

    • Avatar

      Tony Barrett

      In reply to arthemis:

      Actually Google's Project Zero do a good job, and give a company a number of months before making a public announcement. Apple may downplay the exploits, but for them, brand image is everything, and they don't want to risk tarnishing that brand at all. In truth, iOS has been exploited a number of times - it's nothing new, despite how Apple spin it.

      Yes, Google's timing could have been better in relation to Apple's keynote, but then I think all we're going to get is more of the same and announcements 95% the same as the last 5 years!

  6. Avatar

    Jeffsters

    Usually have no issue with Project Zero but this announcement was just weird, and looking back, outside the norm. But, hey, wasn’t this the same day, or week, we found out, yet again, that 2 million Google App Store users had downloaded applications with hidden spyware or something? Humm...

  7. Avatar

    MikeGalos

    Honestly, a plague on both their houses.

    Google uses "Project Zero" as a marketing attack tool.

    Apple should have been able to fix this serious flaw quickly since it was accidentally turning off old code and if it was months old and they fixed it within 10 days then what was the patch they issued last week in response to the Google press release?

    Neither one takes security seriously.


    To me, though, the interesting part of this story is that the known exploit, at least according to Apple, was targeting the Uighur community and was sophisticated. I assume the "sophisticated" part was the payload itself since exploiting the bug was trivial.


    A sophisticated exploit targeting the Uighur people is almost certainly written by the Chinese People's Liberation Army who has been known to use cyberwar tools against people the Chinese government is targeting.


    Now, there being open discrepancy of the facts published by the two largest phone OS vendors about a Chinese government attack at a time when both are trying to curry favor with the Chinese government about their sales in China is a sign we'll likely never see the real answers.


  8. Avatar

    red.radar


    I think it’s time that the industry clamp down on these security exploit publications.


    We we should have a more orderly and transparent governance process for communicating vulnerabilities. We need to remove the potential for companies to stock pile vulnerabilities and exploiting the information.


    This shouldn’t be an issue or even a consideration. It’s time the industry forms a standards body that self polices and is neutral or we get the government to set policies.


    This information should never be weaponized in this manner it Puts company welfare in front of people’s personal informational security.



  9. Avatar

    SvenJ

    I have read in various places, the affected websites, did not only attack exploits in Safari/Apple/iOS, but Chrome/Android and Windows as well. * If that is indeed the case, Project Zero's failure to note that, and target Apple, and the timing, supports the assertion that this was 'business' not altruistic.


    *"and it turns out neither was the fact that Android and Windows were also affected."

    https://www.redmondpie.com/apple-addresses-google-project-zero-report-on-ios-security-calls-it-misleading/

  10. Avatar

    jedwards87

    From what I understand these exploits also affected Android and Windows yet Google (And Pauls article) failed to mention that. Has Google patched it yet ? What about MS ?

    • Avatar

      MikeGalos

      In reply to jedwards87:

      You understand wrong. The bug that opened the security hole was code in iOS that was accidently disabled in an update. This was a simple coding error and not some subtle conceptual error that affected all OSs.


      It was mentioned in the article on the bug when it was reported here as how jailbreaking was enabled again in an article by Mehedi on August 19th and again in Mehedi's article on Apple's emergency patch fixing the bug on August 26th.


  11. Avatar

    AnOldAmigaUser

    Is Google being a corporate jerk? Based on the fact that these flaws were disclosed so long after being patched, and so close to an Apple announcement, and becaue, well Google...yeah, most definitely.

    Is Apple overreacting to this because they market iPhones as being secure? Yeah.

    Does any of this matter to the Uighers who are now in "re-education" camps because they were the target of this state sponsored hack? Unfortunately not.

  12. Avatar

    waethorn

    Apple likes to dance around their words carefully for fear that they would lose their profit-maximizing slave labour in China by upsetting The Party.

  13. Avatar

    Awhispersecho

    Why Google has been allowed to do this to MS and now Apple and whoever else they may choose boggles my mind. It's childish, it's dangerous. Hey let's announce security holes to the world so that everyone can have their devices hacked because we are petty little pricks. I am not an Apple fan and I don't really care about MS anymore but this is just dirty and pathetic and looks so immature every time they do this. I give Apple some credit for pushing back, all MS ever does it cower down, put their tales between their legs and beg for forgiveness while rushing out a fix.

    • Avatar

      wright_is

      In reply to Awhispersecho:

      See above, the holes were patched long ago, and Google usually announce what they found after 90 days or when the patches are released. Either they were caught napping or they waited until it could trump Apple's news cycle.

      It is dirty of Google, unless it was an oversight (which seems unlikely), but not in the way you describe.

  14. Avatar

    RonV42

    Part of me thinks Google's project zero team does time things to embarrass their competition.

  15. Avatar

    Stooks

    "Worst of all, perhaps, Google Project Zero suddenly went public with information about the months-old flaws on the same day that Apple announced its September 10 iPhone event"


    If they did this for the purpose of hurting Apple it was a really, really dumb move. Google IMHO is suffering from bad press caused by their privacy and bias stances. Trust in Google is going down and they are lumped in with Facebook when it comes to trust.


    Apple should run an ad stating how many apps were pulled from the Google store because of Malware vs the iOS store. I do remember the news story about how Google said they removed over 700,000 apps from the play store in 2017 because of malware. That is simply insane and I wonder how anyone would consider Android even remotely secure???


    Thankfully there are plenty of options when it comes to Google services, save for YouTube.

    • Avatar

      Thomas Parkison

      > That is simply insane and I wonder how anyone would consider Android even remotely secure???

      I've been saying this for quite some time, how Google has not been able to get a handle on this issue is beyond me. They have the people to do this, yet this problem still exists and has been a problem since Android first came on the scene.


      Combine this with the fact that if you don't have a Google branded device and a security patch comes out, you're pretty much SOL. Samsung? SOL. LG? SOL. OK, Nokia pushes out updates on a timely manner but they're probably the only third-party Android OEM that does security patching right.

  16. Avatar

    Lateef Alabi-Oki

    Wow! This exposure by Google must have really hurt Apple for them to respond in the most irresponsible manner yet. They sound butthurt and tone deaf. This will only serve to motivate Project Zero to discredit the so-called "security and privacy" platitudes of Apple's software platform, which for those of us in the know, has mostly been marketing and PR BS.

    • Avatar

      Thomas Parkison

      In reply to mystilleef:

      When it comes to security, patches that is, Apple is way ahead of Google Android in the sense that the moment Apple releases a security patch all iPhones across the world get it. We can't say that about Android except for Google's own branded devices. Got a Samsung? You're SOL.

      • Avatar

        Lateef Alabi-Oki

        In reply to trparky:


        You're right. But you're also entertaining a false equivalence. Isn't it a bit disingenuous to blame Google for Samsung's irresponsibility?


        If Google pushes out monthly security fixes to Android, and Samsung refuses to push those fixes to their users, is Google or Android at fault here?


        The answer is obvious. Android is just as secure as iOS, some may argue more, if you buy from a vendor that cares about security.

        • Avatar

          Jeffsters

          In reply to mystilleef:

          Google created the licensing for Android and had the power to require security updates as a condition of licensing. They didn’t and now users pay the price. I find it amusing to read the usual anti-Apple Cabal invent issues then make excuses for Google.

  17. Avatar

    F4IL

    > ... stoking fear among all iPhone users ...

    Huh? As if the job of security researchers is to somehow make Apple users feel better?

    > Did Google time this revelation purposefully to undermine the new iPhones? It’s a good question.

    Although it is a question, it is irrelevant. What matters is that as a result of the disclosures the secfixes were pushed out, making Apple customers safer. Feeling safe is not the same as being safe.

    The paternalistic tone of Apple's response seems to clearly prioritize squashing anything that would hurt their corporate image, at the expense of hurting their customers.

  18. Avatar

    Chris_Kez

    I'd like to see Google partner with Microsoft, Apple and other big players and spin out the Project Zero team into a truly independent group. That would go a long way towards reducing both the likelihood and appearance of impropriety or playing favorites.

  19. Avatar

    nbplopes

    So this was an attack done months ago, for which in January there was a patch to fix it by Apple, and now there is a blog post made by Google security researchers just telling all the story 6 months after the fact, it just happens to be a week before the iPhone is launched, claiming the discovery of the bug.


    Have I understood this well or missed something?


    Is this the way Google takes security seriously, including their customers?


    By the way. I believe that companies making software that act has data processors should be required by law to disclose any security breach to data of their customer within a determined time. At least in Europe they are, 60 days or so ... I see a law suit coming towards Apple in Europe as they seam to have failed to do so :)


    EDIT: Ops, that is just for data in the Clouds, not data stored locally :)

Leave a Reply