Last week Google disclosed a large-scale hacking effort that it said targeted users of Apple devices. It was a bombshell story.
But now Apple has gone on the attack – angry in public, and absolutely incensed in private at what is being seen as something of a stitch-up. Google is standing by its research.
In a statement posted on Friday, Apple took issue with Google’s characterisation that this was a broad attack on all iPhone users.
“Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real-time,’ stoking fear among all iPhone users that their devices had been compromised,” it reads.
“This was never the case.”
Apple’s bone of contention isn’t so much about what Google’s Project Zero team included in its report. Rather, Apple is upset about what was left out. The view from Cupertino is that Google’s business interests in China led it to pull back on describing the attack as being targeted at the persecuted Uighur community.
“The sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community.”
This perspective is backed up by independent research from Volexity, a cyber-security firm based in Washington DC. It published a report earlier this month looking into the same threat, and stated unequivocally that Uighurs were the target – detailing 11 websites that had been used to carry out the attack.
Most notably, the Volexity report states that as well as Apple’s iOS, Google’s own mobile operating system, Android, was also targeted – a detail that was missing from Google’s research.
Google insists it didn’t know Android was affected – but it’s well aware how it looks.
Tim Willis, a researcher on the Project Zero team, wrote in a tweet that Google’s Threat Analysis Group “only saw iOS exploitation on these sites when TAG found them back in Jan 2019 (and yes, they looked for everything else as well)”.
The independent researchers I’ve spoken to are mostly giving Project Zero the benefit of the doubt on that point. It’s a highly respected group in the cyber-security space, and hasn’t been seen as some kind of weapon against Google’s rivals. Besides, this isn’t exactly the first time it’s found something involving Apple – the group has reported over 200 vulnerabilities to the company to date, most without this kind of fanfare or controversy.
“Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies,” a spokesperson said.
“We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.”
Skin in the game
But there are big questions about how Google is handling the dreaded “C” word: China. There’s no mention of the country in Project Zero’s research, and a spokesman on Friday wouldn’t tell me if Google had known the Uighurs were being targeted. But given the researchers said they’d identified various web addresses affected, it seems very unlikely that two-and-two were not put together. One of the URLs, to give you an example, was quite clearly a news site aimed at Uighur readers, or at least those interested in their plight.
Google has form in this area. You may remember a story last month regarding China-backed misinformation efforts on Facebook, Twitter and YouTube, designed to sow discord in troubled Hong Kong. Unlike Facebook and Twitter, which stated clearly they felt Beijing was behind the efforts – Google stopped short, saying only that it had removed material related to protests in Hong Kong.
There are also questions for Apple, however. If, as claimed in its statement, Apple knew about the iOS flaw before Google informed them, why did they not properly inform their users? Why, if it knew there were several booby-trapped websites scooping up data on the Uighurs, did it not warn them?
And Apple, like Google, won’t say if they think Beijing is directly responsible. That’s the bigger story here – the extent to which China’s malicious behaviour is being swept under the carpet, because the companies involved have too much skin in the game.