Security Market Segment LS
Saturday, 07 September 2019 21:02

Apple issues message about iOS security post Google's 'deep dive'

By

After Google's very scary sounding Project Zero security report suggesting groups making a "sustained effort to hack the users of iPhones in certain communities over a period of at least two years", Apple has struck back.

On the 28th of August, Google's Project Zero division which finds and reports security vulnerabilities, issued a very detailed blog post entitled "A very deep dive into iOS Exploit chains found in the wild", but Apple has struck back with a pointed message.

UPDATE: Google has issued a statement to The Verge, responding to Apple's statement. Google's statement is at the end of this article. 

First, some background. Google noted its "Threat Analysis Group" or TAG team had "discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day".

Ian Beer of Project Zero continued, stating: "There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.

"TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.

"I’ll investigate what I assess to be the root causes of the vulnerabilities and discuss some insights we can gain into Apple's software development lifecycle. The root causes I highlight here are not novel and are often overlooked: we'll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users."

The rest of the analysis from Beer and Project Zero can be found here, which is definitely worth reading, but what did Apple have to say in response?

Well, a week later, Apple has issued a response entitled "A message about iOS security". 

Apple's statement is reprinted in full, below:

"Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.

"First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

"Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.

"Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

"Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they’re found. We will never stop our tireless work to keep our users safe."

So, Apple has responded at long last, and suggests things were nowhere near as dire as Google suggested, even though Apple did admit the website attacks were operational for roughly two months.

Let us hope that Apple, Google, Microsoft and others have quadrupled their efforts to proactively find these vulnerabilities and squash them as quickly and as definitively as possible.

These vulnerabilities are extremely serious and threaten the security and privacy of all users, especially when of the "zero day" variety where the Apples, Googles, Microsofts and others of the world can't protect their users from.

Of course, Google's Android is not immune to hackers by any means, nor is Microsoft, or Facebook and others, so the old adage about throwing stones in glass houses is apt for all players.

As former US President Ronald Reagan said, freedom is not passed down through the bloodline to every new generation, but must be fought for and preserved.

Ultimately, no device can be guaranteed to be completely 100% secure, ever, so it is a reminder of the fragility of security and privacy for us all, and how we must be the ones to pass freedom, security and privacy on to future generations - lest we be the ones to tell our grandchildren what it was once like to live in a world where freedom, security and privacy were taken for granted – but aren't any more.

We don't live in that particular future yet. Let us hope that we never do.

Update: Google issued a statement to The Verge:

"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online."

 

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Alex Zaharov-Reutt

One of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments