Last week, Google’s Project Zero security research team detailed what it described as “one of the largest attacks against iPhone users ever.” Now, Apple has responded to Google’s findings – taking issue with many of the claims.
Ecobee HomeKit Thermostat
Google’s findings last week detailed a series of hacked websites, which were randomly distributing malware to iPhone users. Once a user visited one of the malicious websites and the malware was deployed, the implant “primarily focused on stealing files and uploading live location data,” as often as every 60 seconds.
In a new statement, Apple accuses Google’s blog post of “creating the false impression of mass exploitation,” despite the fact that “this was never the case.” Apple says the flaws detailed by Google were never “broad-based” and instead affected fewer than a dozen websites focused on content targeting to the Uighur community. This was first reported by TechCrunch last weekend.
First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Furthermore, Apple says that the website attacks were only operational “for a brief period,” whereas Google claimed they ran for “two years.” Apple also reiterated that the vulnerability was patched in iOS 12.1.4.
Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
Ultimately, Apple says that “security is a never-ending journey” and that iOS security is “unmatched.” The company also says that it takes full responsibility for end-to-end encryption on all of its devices and in its software:
Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they’re found. We will never stop our tireless work to keep our users safe.
Read the full statement here.