27 September 2023

Rotten response: How Apple turned sour on the security community

Start the conversation

Dan Goodin* says Apple’s response to the iOS security bombshell dropped by Google has alienated the security community just when the company needs it most.


Photo: David Cardinez

Apple is taking flak for disputing some minor details of the recent bombshell report that, for at least two years, customers’ iOS devices were vulnerable to a sting of zero-day exploits, at least some of which were exploited to install malware that stole location data, passwords, encryption keys, and a wealth of other highly sensitive data.

Google’s Project Zero said the attacks were waged indiscriminately from a small collection of websites that “received thousands of visitors per week”.

One of the five exploit chains Project Zero researchers analysed showed they “were likely written contemporaneously with their supported iOS versions”.

The researchers’ conclusion: “This group had a capability against a fully patched iPhone for at least two years.”

Early last week, researchers at security firm Volexity reported finding 11 websites serving the interests of Uyghur Muslims that the researchers believed were tied to the attacks Project Zero identified.

Volexity’s post was based in part on a report by TechCrunch citing unnamed people familiar with the attacks who said they were the work of a nation-state — likely China — designed to target the Uyghur community in Xinjiang State.

Breaking the silence

For a week, Apple said nothing about the reports.

Then it issued a statement that critics are characterising as tone-deaf for its lack of sensitivity to human rights and a focus on minor points.

Apple officials wrote: “Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February.”

“We want to make sure all of our customers have the facts.”

“First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described.”

“The attack affected fewer than a dozen websites that focus on content related to the Uighur community.”

“Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.”

“Google’s post … creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time’, stoking fear among all iPhone users that their devices had been compromised.”

“This was never the case.”

“Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not ‘two years’ as Google implies.”

“Security is a never-ending journey and our customers can be confident we are working for them.”

One of the things most deserving of criticism was the lack of sensitivity the statement showed for the Uyghur population, which over the past decade or longer has faced hacking campaigns, internment camps, and other forms of persecution at the hands of the Chinese Government.

Rather than condemning an egregious campaign perpetrated on a vulnerable population of iOS users, Apple seemed to be using the hacking spree to assure mainstream users they weren’t targeted.

Conspicuously missing from the statement was any mention of China.

Nicholas Weaver, a researcher at UC Berkeley’s International Computer Science Institute, summed up much of this criticism by tweeting: “The thing that bugs me most about Apple these days is that they are all-in on the Chinese market and, as such, refuse to say something like ‘A government intent on ethnic cleansing of a minority population conducted a mass hacking attack on our users.’”

Two months or two years?

One of the few factual assertions Apple provided in the statement is that the websites were probably operational for only about two months.

A careful parsing of the Project Zero report shows researchers never stated how long the sites were exploiting iPhone users.

These points prompted satirical tweets similar to this one from Juan Andrés Guerrero-Saade, a researcher at Alphabet-owned security firm Chronicle: “It didn’t happen the way they said it happened, but it happened, but it wasn’t that bad, and it’s just Uyghurs so you shouldn’t care anyways. No advice to give here. Just move along.”

Satire aside, Apple seems to be saying that evidence suggests the sites Google found exploiting the iOS vulnerabilities were operational for only two months.

Additionally, as reported by ZDNet, a researcher from security firm RiskIQ claims to have uncovered evidence that the websites didn’t attack iOS users indiscriminately, but rather only visitors from certain countries and communities.

If either of those points are true then it’s worth taking note, since virtually all media reports have said sites indiscriminately did so for at least two years.

Apple had an opportunity to clarify this point and say precisely what it knows about active use of the five iPhone exploit chains Project Zero found.

But its statement said nothing about any of this.

A missed opportunity

Missing from Apple’s statement is any response to the blistering criticism the Project Zero report made of Apple’s development process, which it alleges missed vulnerabilities that should have been easy to catch with standard quality-assurance processes.

Another key criticism is that Apple’s statement has the potential to alienate Project Zero, which according to a Google spokesman has to date privately reported more than 200 vulnerabilities to Apple.

It’s easy to imagine that it wasn’t easy for Apple to read the deep-dive report publicly documenting what is easily the worst iOS security event in its 12-year history.

But publicly challenging a key ally on such minor details with no new evidence does not create the best optics for Apple.

Apple had an opportunity to apologise to those who were hurt, thank the researchers who uncovered systemic flaws that caused the failure, and explain how it planned to do better in the future.

It didn’t do any of those things.

Now, the company has distanced itself from the security community when it needs it most.

* Dan Goodin is the Security Editor at Ars Technica. He tweets at @dangoodin001.

This article first appeared at arstechnica.com.

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.