[ad_1]
Apple is attacking critics for challenging some minor details of last week's bomb report that, for at least two years, their customers' iOS devices were vulnerable to a slew of zeroday exploits, including at least some were actively exploited to install malware that stole location data. , passwords, encryption keys and a host of other extremely sensitive data.
According to Google's Project Zero, attacks were carried out indifferently from a small collection of websites having "received thousands of visitors a week". One of the five exploit chains analyzed by Project Zero researchers showed that they "were probably written at the same time as their supported iOS versions." Researcher's conclusion: "This group had an ability against an iPhone fully patched for at least two years."
Earlier this week, researchers at the Volexity security company announced they found 11 websites serving the interests of Uyghur Muslims, which they believed related to the attacks identified by Project Zero. The Volexity post is based in part on a TechCrunch report quoting anonymous people aware of the attacks that said they belonged to the nation – presumably China – and aimed at targeting the Uyghur community in the state of Xinjiang.
Break the silence
For a week, Apple has not said anything about these reports. Then on Friday, he issued a statement that critics describe as dumb for his lack of sensitivity to human rights and his excessive focus on minor issues. Apple managers wrote:
Last week, Google released a blog about vulnerabilities that Apple had corrected for iOS users in February. We've heard from customers who are concerned about some of the claims and we want to make sure all our customers have the facts.
First, the sophisticated attack was narrowly targeted and not a large-scale exploit of "mass" iPhones as described. The attack affected less than a dozen websites devoted to content related to the Uyghur community. Whatever the scale of the attack, we take the security of all users extremely seriously.
Google's release, published six months after the release of iOS fixes, creates the false impression of "mass exploitation" to "monitor the private activities of entire populations in real time," creating fear among all iPhone users that their devices had been compromised. This has never been the case.
Secondly, all the evidence indicates that these attacks against websites were only operational for a brief period, about two months, not "two years," as Google states. We corrected the vulnerabilities in February – we worked extremely quickly to solve the problem just 10 days after we became aware of it. When Google contacted us, we were already fixing exploited bugs.
Security is an endless journey and our customers can be confident that we are working for them. IOS security is unmatched because we take responsibility for the end-to-end security of our hardware and software. Our global product security teams are constantly looking for new protections and patch vulnerabilities as they are detected. We will never stop our tireless work to ensure the safety of our users.
One of the most criticized criticisms was the lack of sensitivity shown by the statement to the Uyghur population, who over the last decade has been confronted with computer hacking internment and other forms of persecution by the Chinese government. Rather than condemn a blatant campaign perpetrated on a vulnerable population of iOS users, Apple seems to use the wave of hacking to ensure mainstream users that they are not targeted. The mention of China was visibly missing from the statement.
Nicholas Weaver, a researcher at the International Institute of Computer Science at the University of Berkeley, summed up much of these criticisms of tweeting: What bothers me the most about Apple these days is that they are neck and neck in the Chinese market and, as such, refuse to say something like, "A government determined to clean up Ethnic way a minority population has led an attack of p our users. "
What bothers me most about Apple these days is that they are neck and neck in the Chinese market and, as such, refuse to say anything like, "A government determined to clean up ethnically a minority population launched a massive attack against our users. "https://t.co/ACMhtpN53H
– Nicholas Weaver (@ncweaver) September 6, 2019
The statement also seemed to use the fact that "fewer than a dozen sites" were involved in the campaign as a mitigating factor. Project Zero has made it clear from the beginning that the number of sites is "small" and that they receive only a few thousand visitors each month. More importantly, the size of the campaign had everything to do with the decisions made by the attackers and little or no security for the iPhones.
Two months or two years?
One of the few factual statements provided by Apple in the statement is that the websites were probably operational only for about two months. A careful analysis of the Project Zero report shows that the researchers never indicated how long the sites were actively and indiscriminately exploiting iPhone users. According to the report, a review of the five chains of attacks consisting of 14 separate exploits suggested that hackers had the opportunity to infect iPhones completely up to date for at least two years.
These points prompted satirical tweets similar to that of Juan Andrés Guerrero-Saade, researcher at Chronicle, a security company owned by Alphabet: "This did not happen as they had said, but it happened, but it did not happen. was not so bad, and it's just Uyghurs, so you should not. crazy anyway. No advice to give here. Just advance. "
sensational @Apple…
"It did not happen as they said, but it happened, but it was not that bad, and it's just Uighurs so you should not worry about it." No advice to give here. Go for it. "
– J. A. Guerrero-Saade (@juanandres_gs) September 6, 2019
Satire aside, Apple seems to assert that the evidence suggests that sites discovered by Google indiscriminately exploiting iOS vulnerabilities have only been operational for two months. In addition, as reported by ZDNet, a researcher from the security company RiskIQ claims to have discovered evidence that websites did not attack iOS users without distinction, but only visitors from certain countries and communities.
If any of these points is true, it is worth noting, since virtually all media (including Ars) reported that the sites did so indiscriminately at the time. at least two years. Apple has had the opportunity to clarify this point and clarify its knowledge on the active use of the five iPhone exploit chains discovered by Project Zero. But Friday's statement did not say anything about it and Apple representatives did not respond to a request for comment for this article. A Google spokesman said he did not know exactly how long the small collection of websites identified in the report was operational. He said he would have tried to find out, but he did not answer.
In a statement, Google officials wrote: "Project Zero publishes technical research designed to improve the understanding of security vulnerabilities, leading to better defense strategies. We stick to our extensive research that has been written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other large companies to keep people safe online. "
A missed opportunity
The former NSA hacker and founder of the Infosec Rendition company, Jake Williams, told Ars that, ultimately, the time when the exploit sites were active was immaterial. "I do not know that these 22 months are important," he said. "It looks like their statement is no longer a straw man to hijack human rights violations."
Apple's statement is also not responding to the scathing criticism of Project Zero's report on Apple's development process, which alleges missed vulnerabilities that, in many cases, should have been easy to detect with standard quality assurance processes.
"I will investigate the root causes of the vulnerabilities I am evaluating and analyze some of the information we can gain from Apple's software development lifecycle," said Project Zero researcher Ian Beer in a preview of the report. last week. "The root causes that I point out here are not new and are often overlooked: we will see cases of code that seems to have never worked, a code that has probably skipped quality control or that has probably made it worse. subject to few tests or revisions before being sent to users. "
Another key criticism is that Apple's statement could potentially alienate Project Zero, which, according to a Google spokesperson, has so far privately reported more than 200 vulnerabilities to Apple. It's easy to imagine that it was not easy for Apple to read last week's detailed report that publicly published what was by far the worst iOS security event in 12 years of history. But publicly challenging a key ally on such minor details without any new evidence does not create the best optics for Apple.
Apple has had the opportunity to apologize to those who have been injured, to thank the researchers who discovered systemic flaws that led to this failure, and to explain how they plan to do better in the future. He did not do any of these things. Today, the company is far from the security community when it needs it most.
[ad_2]
Source link