Last month, Google Project Zero published a blog post underlining iOS security vulnerabilities which allegedly let shady websites to surreptitiously hack into the iPhones. Out of the 14 reported flaws, five led to a “sustained effort to hack the users of iPhones in certain communities over a period of at least two years.” However, Apple responded by agreeing to disagree.
If you’re unaware of the whole situation, let us bring you on the same page.
Google Project Zero Report
The blogpost reports the discovery of some hacked websites, which were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day. Zero-day exploits target secret software vulnerabilities on both Android and iOS platforms. The participants of these underground hacking markets rack in millions for their work.
Coming back to the issue at hand, Google security arm reveals there was no target discrimination, or in other words, any user visiting the hacked site would be a prey. The scope of attack encompasses the thousands of weekly visitors of these infected websites.
Google’s Threat Analysis Group (TAG) under the Project Zero mission discovered this threat. It functions with the sole aim of tackling the 0-day threats.
It claims almost every version from iOS 10 unto the latest version of iOS 12 were prone. And for the last two years, Uighurs, a predominantly Muslim minority group in China were the target of this attack. The name of the communities was revealed by reputed media outlets like CNN and TechCrunch, which was later confirmed by Apple as well.
The Cupertino-based giant condemned the way Google hyperbolized the whole matter. They said the attack “was narrowly focused” and affected “fewer than a dozen websites that focus on content related to the Uighur community in China. They crossed off the allegations of a widespread risk. It was further noted that the issue was fixed back in February itself, after intimation. Besides, the issue prolonged for only two months, and not two years as publicized by Google.
Its official statement read –
Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real-time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Google, however, holds its ground. It says –
“Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.”