Apple issues statement refuting Google's 'false impression' of iOS security [u]
Apple has challenged some of Google's claims regarding iOS vulnerabilities, and stresses that its own 'end-to-end' security systems are 'unmatched' by its rivals.
In a rare public response, Apple has issued a press release specifically to address recent claims by Google concerning security vulnerabilities within iOS. Apple disagrees with Google's estimate of how long these vulnerabilities were open to attack, and how many websites were affected.
Apple also states that it addressed the issues promptly and accuses Google of deliberately causing concern for iPhone users.
"Google's post, issued six months after iOS patches were released," says the release, "creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised. This was never the case."
"The attach affected fewer than a dozen websites that focus on content related to the Uighur community."
Apple says that Google's claim that websites which exploited these vulnerabilities were able to attack users for two years is grossly inflated.
"All evidence indicates that these website attacks were only operational for a brief period, roughly two months," the statement continues.
"We fixed the vulnerabilities in question in February -- working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs."
Apple's release concludes with a statement claiming that iOS has unmatched security, and in a criticism of Google, says that it is because "we take end-to-end responsibility."
The complete text of Apple's statement reads:
"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online," a Google spokesperson said.
Updated with statement from Google.
In a rare public response, Apple has issued a press release specifically to address recent claims by Google concerning security vulnerabilities within iOS. Apple disagrees with Google's estimate of how long these vulnerabilities were open to attack, and how many websites were affected.
Apple also states that it addressed the issues promptly and accuses Google of deliberately causing concern for iPhone users.
"Google's post, issued six months after iOS patches were released," says the release, "creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised. This was never the case."
"The attach affected fewer than a dozen websites that focus on content related to the Uighur community."
Apple says that Google's claim that websites which exploited these vulnerabilities were able to attack users for two years is grossly inflated.
"All evidence indicates that these website attacks were only operational for a brief period, roughly two months," the statement continues.
"We fixed the vulnerabilities in question in February -- working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs."
Apple's release concludes with a statement claiming that iOS has unmatched security, and in a criticism of Google, says that it is because "we take end-to-end responsibility."
The complete text of Apple's statement reads:
Google later responded to Apple's press release in a statement to The Verge.Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We've heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.
First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones "en masse" as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
Google's post, issued six months after iOS patches were released, creates the false impression of "mass exploitation" to "monitor the private activities of entire populations in real time," stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not "two years" as Google implies. We fixed the vulnerabilities in question in February -- working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they're found. We will never stop our tireless work to keep our users safe.
"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online," a Google spokesperson said.
Updated with statement from Google.
Comments
iOS is not insecure, nor should it be inferred it is when rare exploits are exposed.
The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.
There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.
Your iOS may not be insecure, but your iPhone most likely is.
NIST and the NSA introduced backdoors in standards for the baseband radios, hacked the makers of SIM cards, etc.
Police all over have Stingrays that spoof cell towers and sweep up the data of people without a warrant or probable cause.
Then there are security issues related to the ISP/wireless ISPs and how they process and handle your data.
After all that, then you get to weaknesses in the UNIX base, the open source technologies incorporated into iOS, Apple’s own proprietary software and protocols and then the apps running on iOS from 3rd party vendors.
Finally do not forget that Apple runs some services on AWS and is therefore subject to the security concerns of that platform.
So you might be right regarding iOS, but your iPhone- not so much.
https://www.forbes.com/sites/thomasbrewster/2019/09/01/iphone-hackers-caught-by-google-also-targeted-android-and-microsoft-windows-say-sources/#43e4c76b4adf
The last part of your comment I find troubling, as it is a statement without a shred of evidence.
All of my iOS devices were patched in February.
What’s more troubling about your comment is that people seem to want to hold some schmucks comment on a message board to a higher standard than actual journalists or “informed” bloggers. All over the internet supposed reputable writers make claims without anyone asking for “evidence” and they blindly follow.
There was nothing false in what the Project Zero engineers blogged about - which was the intricacies of the extremely complicated exploit; the hackers had to find and exploit more than a dozen different vulnerabilities to affect an iOS device. That exact exploit was in fact iOS only, but to believe or think that the hackers didn’t also target the other two major platforms is pure ignorance.
Anyone in-the-know believed that as well, and I believe it was Forbes that uncovered the fact that both Windows and Android vulnerabilities were exploited and the “two year” figure actually applies to those exploits, not iOS. Apple has the ability to determine how long a specific vulnerability has existed due to the fact that they know when that code was released into the wild and they have stated it was only possible to exploit up to two months prior.
The irony of this whole issue is that it was probably much, much easier for the hackers to “break” into Android and Windows, than it was to find a way into iOS.
Stagefright... Quadrooter... Millions at risk! No fix possible!!
In truth zero real life danger, not one in the wild exploit, no harm to any users device, but sloppy reporting made sure the damage was done anyway.
These constant click-bait articles, inferences of danger not actually based in fact, and whip-it-out penile measurements between fans and even companies does not help consumers one iota.
It sounds like Apple is saying they were already closing these exploits and that they learned about them not from Google.
Don't know who's to blame for the tone or timing of the article, but to infer that iOS is "insecure" with it is 100% wrong.
Found the article on Forbes. I cannot find any of your claims about the two year figure only being based on the Windows and Android exploits. The same can be said for the for the claim about Apple's knowledge of the duration of the exploit. Where are you getting this from? Just the short press release of Apple? There is no mention made about how they determined the two months in that press release.
And the last part is, again, a statement without a shred of evidence. Based on the information about this particular incident related to the Uighur community you cannot make such a claim. It is reductive, and just makes it a fanboy war.
And for the record, I think that Project Zero should have mentioned the broader targeting of the Uighur community on Android and Windows if they had any knowledge about it.
EDIT: It is Microsoft claiming no knowledge of the sites exploiting iPhones also targeting Windows, nor have any researchers reported similar exploits to them so far. In addition "other sources" familiar with the hacks claimed Google had only seen iOS exploits being served from the sites.
What's lost in this, is that this is the Chinese Government behind the hacks.
https://support.apple.com/en-us/HT209520
So yes both could be correct. A Google group discovered it and reported it to Apple, but by the time the second Google group (Project Zero) gave them specifics they were already working on it. In fact I think the Project Zero blog post alludes to that being the case. Project Zero didn't discover it, that would have been TAG, but they did figure out how it worked.
No one actually lying but both could be a bit more transparent?