Apple disputes how Google characterized the iPhone vulnerability it discovered

Apple disputes how Google characterized the iPhone vulnerability it discovered
Toward the end of last month, we told you that Google's Project Zero team of security researchers discovered some hacked websites that were loading malware onto iOS devices. When Apple iPhone users visited these sites, even if there was no real interaction, software would be implanted inside the iPhone that would send information from the infected handset to a designated server. Practically all versions of iOS 10 through 12 were affected. Google reported the issue to Apple on February 1st of this year, and six days later iOS 12.1.4 was pushed out with a security patch.

Even though Google's security team apparently saved iPhone users from having their personal information sent to some remote server, Bloomberg reports that Apple is not pleased with Google's description of how pervasive this issue was. Google said that this was "a campaign exploiting iPhones en masse," while Apple says that fewer than a dozen websites were involved and the attack targeted the Uighur Muslims living in China. Apple also takes issue with Google's comment about the duration of the attack; the latter says that iPhone users were exposed to it for two years while Apple says that the vulnerabilities were up for "roughly two months." However, Google's Threat Analysis Group (TAG) said that it found exploits "covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years."

Apple has been promoting the iPhone as a device that keeps its users' personal information private and secure


Yesterday, Google said that it stands by its in-depth research and also issued a statement. In its report, the Alphabet unit warned that while the campaign was a failure for this one attacker, "there are almost certainly others that are yet to be seen."


As we pointed out in our original article, it is a good idea to stay away from shady websites. In this case though, it didn't matter if you interacted with the hacked site; as soon as an iPhone visited the webpage, the phone became infected. And hackers could send an email with links to these sites claiming that you've won a prize, or use other techniques to get you to click on that link, visit the suspect website and infect your iPhone.


Apple might have felt the need to have corrected Google because of its privacy campaign. You might recall that early this year during the Consumer Electronics Show (CES) in Las Vegas, Apple put up a huge billboard on the side of a hotel that overlooks the Las Vegas Convention Center, the venue that hosts the popular annual expo. The billboard was a riff on the famous "What happens in Las Vegas, stays in Las Vegas" line created by the Las Vegas Convention and Visitors Authority to attract visitors. Apple's billboard read, "What happens on your iPhone, stays on your iPhone." Apparently, there was no room on the billboard to add "...unless your iPhone visited a hacked website."


The report from Project Zero noted that "simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week." So while it is certainly in Apple's interest to play down this attack, it surely seems to have been as serious and widespread as Google claims it was.

FEATURED VIDEO

27 Comments

1. Vancetastic

Posts: 1614; Member since: May 17, 2017

Well, this should be good. Do I trust the word of a giant, for- profit company, or the word of the other giant, for-profit company?

5. maherk

Posts: 6966; Member since: Feb 10, 2012

Two birds, one stone lol Now fanboys from both camps will go after you.

11. Vancetastic

Posts: 1614; Member since: May 17, 2017

Bring it, keyboard warriors!

12. sgodsell

Posts: 7456; Member since: Mar 16, 2013

There really is only one way to tell. That is time, and it will be sooner than you think. Both companies are based in the US, and that is the land of the lawyers. People go after others if you look at them wrong, or get 20 million if coffee cups from McDonalds aren't labeled with a warning message saying "Caution Hot". Now if Apple doesn't go after Google for this "slander and defamation", then that tells me that Google is telling the truth, and Apple is a liar. Besides Apple has gone after other companies for saying and doing less. If Apple does go after Google and wins, then Google is the liar. Also which company has been caught lately for lying to their customers? I will give you a hint. It's not Google.

13. Vancetastic

Posts: 1614; Member since: May 17, 2017

I'm sure that you're very unbiased. Good Lord...

14. sgodsell

Posts: 7456; Member since: Mar 16, 2013

If you really read what I posted, then you should know that the real truth will reveal itself in time. That way you, me, and everyone else will know the real truth. Right Vancetastic. Do you not understand that if Apple doesn't take Google to court for this, then Apple is a liar. If Apple takes Google to court and wins, then Google is the liar. It's so simple, can you not see that?

16. Vancetastic

Posts: 1614; Member since: May 17, 2017

All we will know is who has the best lawyers.

18. AbhiD

Posts: 850; Member since: Apr 06, 2012

Your post was more than revealing of your bias. Now don't try to hush it up. And this is coming from an Android user who has never had apple products

24. slashas

Posts: 143; Member since: Jul 17, 2017

But why google is being fined by EU for customer data breaches? Same with Facebook and etc :)

7. miketer

Posts: 531; Member since: Apr 02, 2015

ROTFL

2. tedkord

Posts: 17417; Member since: Jun 17, 2009

Let me guess - only 9 people were affected?

3. Onespot

Posts: 55; Member since: Mar 15, 2018

This concludes iPhone is not as safe as they advertise.

4. tedkord

Posts: 17417; Member since: Jun 17, 2009

Nothing is.

8. miketer

Posts: 531; Member since: Apr 02, 2015

Absolutely

39. splus

Posts: 163; Member since: Nov 26, 2011

Nothing is safe, but the thing is that only Apple claimed their iPhone is safe.

46. Onespot

Posts: 55; Member since: Mar 15, 2018

But not everyone exaggerate their os privacy

41. ssallen

Posts: 202; Member since: Oct 06, 2017

Reading comprehension and critical thinking really aren't your things huh? Apple doesn't dispute the SEVERITY of the bug or that the bug even existed, they are using smoke and mirrors by arguing that the bug didn't IMPACT AS MANY PEOPLE as Google supposedly "suggested". The reality is that this bug could have EASILY IMPACTED MILLIONS if it was deployed to websites that serviced millions. The fact that the actor only used it to target a small ethnic community says absolutely nothing about the bug itself. The bug was bad, very, very bad. Probably the worst vulnerability we have seen in some time. Apple is embarrassing itself by splitting hairs here... people could have -and maybe even did - lose their lives over this vulnerability. China wasn't monitoring this group because they wanted to monitor traffic congestion. They used this vulnerability to oppress an ethnic minority. Apple can spin whatever they want but this was no minor issue despite what they want you to sheepishly eat up.

6. Alcyone

Posts: 489; Member since: May 10, 2018

I wonder would an active virus scan of websites visited alert to this type of threat? McAfee does pretty good at picking out shady open wifi and websites on my anddoid.

9. Back_from_beyond

Posts: 1440; Member since: Sep 04, 2015

I don't think it would've made a difference on an iPhone at least. Apple takes restricting access to its own apps very seriously, so other apps wouldn't be allowed to interact or monitor activity. That's exactly why this vulnerability has gone unnoticed for as long as it has. Even Apple hasn't got a clue to what extent it was exploited, but you can bet it happened a lot more than is currently known.

10. sraj49

Posts: 42; Member since: Sep 12, 2014

The fact is that the commercials we're there and they are addressing the same. Apple never had accepted any security flaws which is natural in software which Google recognized and addresses majority of them by monthly security update. Whereas, Apple always states work the premise that no none can beach their security and live on publicizing this myth rather than watch out for vulnerabilities and address then

15. HumbleJ06

Posts: 98; Member since: Aug 10, 2015

Read on more than one website about this regarding how Android being open source and fragmented makes Android more secure. The idea is more eyes on the code and multiple versions from numerous vendors make it hard for a hack to affect all Android unlike a hack would for iOS. Also another reason for Android being more secure now is Android splitting the OS upgrade from security updates. These were interesting takes and made sense. As far as Google notifying Apple, who cares if it was major and effected millions or hundreds of thousands. Apple should have just said thanks, fixed the exploit, and not made an issue of it. Apple's response makes them sound petty.

17. kabhijeet.16

Posts: 892; Member since: Dec 05, 2012

Trust google, not Apple.

19. AbhiD

Posts: 850; Member since: Apr 06, 2012

Really? Trust Google? I mean don't trust Apple if you want, but you are telling people to trust GOOGLE? A company which literally earns their penny by selling it's user's data? WTH man! Get your priorities straight

20. iushnt

Posts: 3126; Member since: Feb 06, 2013

Earning through users data has nothing to do with not trusting them. Their business model is different.

32. tedkord

Posts: 17417; Member since: Jun 17, 2009

Trust no multi-million/billion dollar corporation. Not a single one of them cares about their customers past their wallets.

25. gadgetpower

Posts: 283; Member since: Aug 23, 2019

Hacker will always be present no matter what platform but apple is really the best in software support especially when its privacy concerns. Good job apple.

33. sissy246

Posts: 7124; Member since: Mar 04, 2015

Two years, two months, it happen either way. How about thinking Google for finding it even if you don't agree with the time frame and move on.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.