Google’s Report On iPhone Exploit Was Exaggerated, Says Apple
Last week, Google in a blog post had announced that its Threat Analysis Group (TAG) and Project Zero had discovered a series of iOS exploit chains in the wild that were designed to hack iPhones over a period of at least two years. They were being used to extensively attack their visitors using an iPhone zero-day exploit.
Breaking its silence on the security concerns reviewed in Google’s report and to curb speculation the extent of the vulnerability, Apple, via an official press release, said that the scale of the attack was far smaller than Google implied.
The Cupertino giant said that “the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described,” by Google researchers. “The attack affected fewer than a dozen websites that focus on content related to the Uighur community.”
Regardless the scale of the attack, Apple added that safety and security of all its customers is a high priority for the company.
“Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case,” Apple said in the press release.
The company also clarified and corrected some false statements regarding the duration of website attacks. It said that the website attacks lasted only two months and not “two years” as mentioned by Google researchers.
“All evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs,” the company added.
Apple concluded the press release by calming users that the company takes security extremely seriously: “Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they’re found. We will never stop our tireless work to keep our users safe.”
For its part, Google responded to Apple’s statement, saying it stands by “our in-depth research which was written to focus on the technical aspects” of these vulnerabilities.
“Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies,” Google said in a statement. “Will continue to work with Apple and other leading companies to help keep people safe online.”