Apple Hits Back At Google Over iPhone Hack Report
Apple has hit back at Google in a statement that made clear it feels that its security researchers have overstated the level of threat against iPhone users.
Last month security researchers at Google’s Project Zero had warned iPhone users of a “sustained effort” of an attack “in the wild” against Apple devices.
The researchers detailed how hackers utilised booby-trapped websites to try and carry out zero-day attacks against visiting iPhone users.
iPhone hack
But Apple has disputed Google’s insistence that it was a large-scale hacking effort that targeted users of Apple devices, and has issued a hard-hitting statement.
“Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February,” said Apple.
“First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described,” it said. “The attack affected fewer than a dozen websites that focus on content related to the Uighur community.”
The Uighur are a Muslim community located in central and east China and are at the centre of human right concerns in that region.
And Apple made no attempt to disguise its irritation at Google’s research team’s efforts to make this a more global threat, and not just one affecting a small ethnic community in China.
“Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real-time,’ stoking fear among all iPhone users that their devices had been compromised,” said Apple. “This was never the case.”
“Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not ‘two years’ as Google implies,” said Apple.
“We fixed the vulnerabilities in question in February – working extremely quickly to resolve the issue just 10 days after we learned about it,” Apple added. “When Google approached us, we were already in the process of fixing the exploited bugs.”
But Google is standing by its research, after Tim Willis, a researcher on the Project Zero team, tweeted that Google’s Threat Analysis Group (TAG) “only saw iOS exploitation on these sites when TAG found them back in Jan 2019 (and yes, they looked for everything else as well)”.
Project Zero
This is not the first time that Google’s Project Zero team has stepped on toes with other tech firms.
The group was set up in 2014 to hunt down vulnerabilities and bugs before they are used in cyberattacks, but its actions have displeased a number of vendors.
In February 2015, Google was forced to defend its policy of automatically publishing zero-day vulnerabilities discovered by its Project Zero team after 90 days, and promised to offer up to two weeks grace if a vendor notifies the search giant that a patch is in the works.
Microsoft, for example, was previously critical of Google for publishing details of two vulnerabilities in 2015 arguing that such disclosures harmed end-users by offering attackers information about potential flaws that could be exploited.
source silicon
Industry: Cyber Security
Latest Jobs
-
- PCI QSA needed. Discreet Opportunity | London | Client facing
- London
- N/A
-
CH08421 PCI QSA needed. Discreet Opportunity | London | Client facing. Payment Card Industry - Qualified Security Assessor - London Seeking someone looking to accelerate their career, into a variety of interesting clients / projects. Must be happy to be onsite with clients- this is not a fully remote role. You must currently hold a valid CISSP or CISM or ISO27001 lead implementer certification AND one of the following; CISA, GSNA, iso27001 lead Auditor, CIA or IRCA ISMS auditor+ Visa sponsorship not available. Apply today for more information chris.holt@dclsearch.com Use this whatapp link to reach out https://wa.me/message/6USF5RAQBOZIP1
-
- Network / Security Infrastructure Engineer | West London | Permanent
- London
- N/A
-
Network / Security Infrastructure Engineer | West London | Current Config, Install, upgrade experience On prem / Datacetner experience essential. Hands on experience MUST include: Routing, Switching, Network Security (firewall, IDS etc), Microsoft exchange / Exchange 365. Scripting / automation experience wanted. Python, Powershell etc Regular travel to West London is required. Visa sponsorship not available. Apply today for more information chris.holt@dclsearch.com Use this whatapp link to reach out https://wa.me/message/6USF5RAQBOZIP1
-
- Security Operations / information Security Analyst / Engineer. London
- London
- N/A
-
Security Operations / information Security Analyst / Engineer needed for a London opportunity. A technical hands on role to investigate, escalate and proactively work to protect a globally recognised brand. Someone with SOC Analyst / security engineering background would be well suited. This position will join a small team and would suit someone that has broad experience across the security threat landscape. Experience / knowledge across industry GRC standards such NIST, ISO27001 etc very advantageous and a priority. You will work across multiple teams proactively working to secure the business. Must be able to commute to Central London 3 days a week. Visa sponsorship not available Apply today to find out more.
-
- Security Cleared Penetration Tester: United Kindom
- N/A
- N/A
-
Security Cleared Penetration Tester Deliver technical Penetration tests to the NCSC CHECK standard. Active CHECK Member or Leader status desirable either in Web Application or Infrastructure. Reach out to find out more. Whatsapp directly here https://wa.me/message/6USF5RAQBOZIP1 Or apply today