Apple is pushing back on reports that iOS has a security problem.
Apple said today that an iPhone hack disclosed by Google was targeting members of the Uighur Muslim community—not the public at large, as some had feared.
“Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised. This was never the case,” Apple said a statement.
“Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not ‘two years’ as Google implies,” Apple added.
Google researchers uncovered 14 previously unknown vulnerabilities in iOS that were being used by a mysterious group to deliver spyware to iPhones. The attacks were unleashed as soon as an iPhone visited a rigged website, and “We estimate that these sites receive thousands of visitors per week,” Google said.
Apple patched the vulnerabilities in February, but Google’s report, released last week, sparked major alarm in the IT security community.
Google has refrained from disclosing which websites were delivering the attacks, or who was behind the spying campaign. But there’s evidence the hackers were affiliated with the Chinese government, and targeting the Uighur Muslim community, using not only iOS exploits, but also Android and possibly Windows-based attacks. Security firm Volexity noticed activity coming from at least 11 sites, which include the Uighur Times, the Turkistan Press, and Turkistan TV.
Apple initially remained mum on the whole matter. But on Friday, it was prompted to respond after hearing from customers concerned about the threat.
“First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described,” Apple said in the statement. “The attack affected fewer than a dozen websites that focus on content related to the Uighur community.”
Apple refrained from pointing fingers at a possible culprit. The tech giant also made no mention of how it’ll address Uighurs targeted by the spying campaign at a time when the Chinese government has been detaining members of the Muslim ethnic minority in re-education camps, according to human rights groups. This prompted some critics to deride Apple’s statement as dismissive of what’s happening to the Uighurs.
“It wasn’t widely exploited, they just remotely dumped the phones of an ethnic group China is sending to concentration camps. Not regular people like you and me.”
— SwiftOnSecurity (@SwiftOnSecurity) September 6, 2019
‘It didn’t happen the way they said it happened, but it happened, but it wasn’t that bad, and it’s just Uyghurs so you shouldn’t care anyways. No advice to give here. Just move along.’
— J. A. Guerrero-Saade (@juanandres_gs) September 6, 2019
Even if we accept Apple’s framing that exploiting Uyghurs isn’t as big a deal as Google makes it out to be, they have no idea whether these exploits were used by the PRC in more targeted situations. Dismissing such a possibility out of hand is extremely risky.
— Alex Stamos (@alexstamos) September 6, 2019
Nevertheless, Cupertino said customers can be confident in the security of Apple products. Apple said it was already in the process of patching the problem when Google notified it about the vulnerabilities.
In response, a Google spokesperson told PCMag the company’s researchers released the report on the iPhone hacks “to advance the understanding of security vulnerabilities, which leads to better defensive strategies.
“We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online,” the spokesperson added.