Late Thursday, Google security researchers dropped a bombshell: Someone had launched a sustained attack against iPhone users that compromised their devices almost instantly when they visited certain websites. The campaign forced a fundamental shift in how security professionals think about iOS. And now, after a week of silence, Apple has finally given its side of the story.
In a brief statement, Apple confirmed that the attacks had targeted China’s oppressed Uyghur Muslim community, as had previously been reported. But the statement also called out multiple points of contention with how Google characterized the attack.
“First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community,” the statement reads. “Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised. This was never the case.”
The company also disputed aspects of Google’s timeline, saying that the malicious sites were operational for two months, rather than the roughly two years Google had estimated. Apple’s statement also says that it had already discovered the vulnerabilities a few days before Google brought them to Apple’s attention. “We were already in the process of fixing the exploited bugs,” Apple says. The eventual patch went out on February 7 as part of the iOS 12.1.4 update.
Apple did not, however, dispute the specifics of how the campaign worked. Researchers from Google’s elite Project Zero security group identified five different exploit strategies the malicious sites could use to compromise iPhones running almost every version of iOS 10 through iOS 12. The sites, which had thousands of visitors per week, would assess victim devices and then infect them, if possible, with powerful monitoring malware. The attackers reportedly targeted Microsoft Windows and Android devices as well.
The Apple statement also doesn’t contravene the central significance of the attacks. Security experts have long assumed that iPhone hacks primarily target very specific, high-value victims, because iOS vulnerabilities that can provide such deep system access to attackers are too rare and prized to risk revealing in mass campaigns. In this situation, though, attackers were using numerous valuable iOS exploits with abandon, shifting that established paradigm.
“Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies,” wrote a Google spokesperson in response to Apple’s statement. “We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.”
As Project Zero laid out last week, the malicious sites used took advantage of 14 vulnerabilities across five distinct exploit chains, a series of steps that exploit bugs sequentially to gain deeper and deeper access. Google’s researchers found that the attackers focused on defeating the protections surrounding key, often-attacked areas of iOS. Seven of the bugs related to Apple’s Safari browser. Five vulnerabilities were in the kernel, the operating system’s core code. And the hackers exploited two distinct “sandbox escape” vulnerabilities, used to defeat protections against apps from interacting with other programs or data.
When compromised, the malware could steal user files, access their iOS Keychains—which store passwords and other sensitive data—and monitor live location data. It requested new instructions remotely from a command and control server every 60 seconds. With such deep system access, the attackers could also potentially read or listen to communications sent through encrypted messaging services, like iMessage or Signal, because these programs still decrypt data on the sender and receiver’s devices. Attackers may have even grabbed access tokens that could be used to log into services like social media and communication accounts.