Cybersecurity researchers at Google's Project Zero detailed the vulnerabilities in a blog post late last month, describing a campaign to exploit "iPhones en masse" through a small number of hacked websites over a period of "at least two years."
Apple(AAPL) disputed those claims in a statement released Friday.
"The sophisticated attack was narrowly focused, not a broad-based exploit of iPhones 'en masse' as described," the company said. It said the hacked websites used to exploit the vulnerabilities numbered fewer than a dozen and mainly featured content related to the Uyghurcommunity, a predominantly Muslim ethnic group from China's western Xinjiang region.
"Google's post, issued six months after iOS patches were released, creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised," Apple said. "This was never the case."
The smartphone maker also countered Google's claims about the duration of the attacks.
"All evidence indicates that these website attacks were only operational for a brief period, roughly two months, not 'two years' as Google implies," Apple said, adding that it fixed the vulnerabilities in February, 10 days after finding out about them.
"When Google approached us, we were already in the process of fixing the exploited bugs," the company said.
Google(GOOGL) defended its findings in a statement to CNN Business.
"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies," the company said in a statement. "We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online," it said.
Apple's defense of its software comes just before amedia event on Tuesday, during which it is expected to reveal a new line of iPhones.
As it downplayed the impact of the vulnerabilities found by the Google researchers, Apple sought to reassure iPhone users about the security of their devices.
"Regardless of the scale of the attack, we take the safety and security of all users extremely seriously," it said. "Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they're found. We will never stop our tireless work to keep our users safe."
Nintendo is apparently concerned that the Switch's Joy-Con controllers might not be flexible enough. The console maker recently applied for a US patent on Joy-Cons with hinges that would let the top half "bend" to provide a more ergonomic grip. This would work whether or not the controllers are attached -- side sections would let you slide them on to the Switch's rails.
There don't appear to be any changes to the functionality beyond that -- the biggest change would be a flexible circuit board.
It's far from certain that Nintendo will implement this in the Switch or a future console. This is the American version of an international patent from February 2018, and the largest change so far is the Switch Lite, which fixes the controllers in place. This isn't necessarily evidence of a "pro" Switch or another revision. Nonetheless, it's evident that Nintendo is still looking for ways to refine the Joy-Con design, and it wouldn't be completely shocking to see this at some point in the future.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Apple’s ‘By innovation only’ keynote is just around the corner, but that doesn’t mean the leaks and countless reports will stop. According to a fresh series of info, the Apple logo is to be present at the backside of all 2019 iPhones and it’s not going to be there just because the company felt like executing a little design change. It’s there for a reason; to help users with reverse wireless charging.
Logo to Help Users Place Qi-Enabled Devices to Allow for 2019 iPhones to Start Charging Them Wirelessly
A Bloomberg report states that when the 2019 iPhones are officially here, there will be a subtle change added in the form of the Apple logo. However, the change won’t be added to bump up the aesthetics or to show the surrounding people that you have the latest and greatest iPhone in the palm of your hand. The change is actually a clever one if it turns out to be true. Similar to wireless charging, reverse wireless charging does have some conveniences in the sense that you’ll have to accurately align the device in a specific position otherwise it won’t juice up.
The Apple logo will serve as a form of ‘guiding star’ to help users place their Qi-enabled devices like AirPods charging case or even the Apple Watch. It’s not confirmed if non-Apple products such as the Galaxy Buds will be able to charge when placed right on top of that Apple logo. What we do know is that the company is rumored to incorporate all three 2019 iPhones with bigger batteries than their predecessors. The extra capacity should not only help with additional ‘screen on’ time but provide leftover juice to top up Qi-enabled devices and accessories.
Other interesting features include improved water-resistance and durable glass to protect the 2019 iPhones from water bodies and drops, though you should keep in mind that since it’s glass and not metal, you should exercise more caution. The keynote will kick off on September 11, and if there’s anything you need to know about the iPhone 11 event, you can always keep track through our detailed roundup.
Apple has tried to downplay concerns raised by Google about security vulnerabilities in iOS that could be exploited by malicious websites. Google's Project Zero recently revealed details of flaws in iOS that were being used to target and monitor iPhone users.
Other security researchers went on to warn that the vulnerabilities were being used to target Uyghur Muslims, possibly in a campaign run by the Chinese government. Having remained silent for more than a week after the revelations, Apple finally issued a statement responding to the findings, prompting criticism that the company was trying to downplay the issues.
See also:
At the end of August Security researcher Ian Beer provided a detailed breakdown of a series of iOS exploits that have the "capability to target and monitor the private activities of entire populations in real time". He also said that the flaws identified were used in a "sustained effort to hack the users of iPhones in certain communities over a period of at least two years".
A few days later, it was suggested by security researchers from Volexity that the exploits were being used to monitor Uyghur Muslims in the Xinjiang Uyghur Autonomous Region (XUAR) in northwest China.
Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We've heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.
First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones "en masse" as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
Google's post, issued six months after iOS patches were released, creates the false impression of "mass exploitation" to "monitor the private activities of entire populations in real time," stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not "two years" as Google implies. We fixed the vulnerabilities in question in February -- working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they're found. We will never stop our tireless work to keep our users safe.
Following the statement, Apple was criticized for nit-picking and for failing to show sufficient sympathy and understanding to the Uyghur community. Google made a point of saying that the number of malicious sites detected was small, but Apple felt the need to highlight this in such a way as to make it seem as though the matter had been overstated.
Among those to lash out at the company were Motherboard journalist Joseph Cox and UC Berkeley's International Computer Science Institute researcher Nicholas Weaver:
The thing that bugs me most about Apple these days is that they are all-in on the Chinese market and, as such, refuse to say something like "A government intent on ethnic cleansing of a minority population conducted a mass hacking attack on our users." https://t.co/ACMhtpN53H
Joining the criticism was former Facebook security chief Alex Stamos who tweeted:
The use of multiple exploits against an oppressed minority in an authoritarian state makes the likely outcomes *worse* than the Huffington Post example a former Apple engineer posited. It is possible that this data contributed to real people being "reeducated" or even executed.
Even if we accept Apple's framing that exploiting Uyghurs isn't as big a deal as Google makes it out to be, they have no idea whether these exploits were used by the PRC in more targeted situations. Dismissing such a possibility out of hand is extremely risky.
Google issued a statement in response to Apple, saying:
Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.
Wunderlist founder Christian Reber has offered to buy back the popular task management app from Microsoft to avoid it being shut down. “Still sad Microsoft wants to shut down Wunderlist, even though people still love and use it,” says Reber on Twitter. “I’m serious Satya Nadella and Marcus Ash, please let me buy it back. Keep the team and focus on Microsoft To-Do, and no one will be angry for not shutting down Wunderlist.”
Microsoft first acquired Wunderlist back in 2015, for a rumored price of between $100 million and $200 million. The software giant has since launched its own Microsoft To-Do app, and it’s clear the Wunderlist acquisition has been complicated. Wunderlist’s API runs on Amazon Web Services, and Microsoft decided to rewrite everything rather than attempt to port it directly over to Azure.
While Wunderlist is still functional, Microsoft has said it plans to shut down the app once all of its features are available in Microsoft To-Do. It’s not clear exactly when that will take place, but Reber is keen to avoid it happening at all. He has confirmed it’s a “serious offer,” but there’s no sign Microsoft is even willing to entertain the offer.
Apple is taking flak for disputing some minor details of last week’s bombshell report that, for at least two years, customers' iOS devices were vulnerable to a sting of zeroday exploits, at least some of which were actively exploited to install malware that stole location data, passwords, encryption keys, and a wealth of other highly sensitive data.
Google’s Project Zero said the attacks were waged indiscriminately from a small collection of websites that “received thousands of visitors per week.” One of the five exploit chains Project Zero researchers analyzed showed they “were likely written contemporaneously with their supported iOS versions.” The researcher’s conclusion: “This group had a capability against a fully patched iPhone for at least two years.”
Earlier this week, researchers at security firm Volexity reported finding 11 websites serving the interests of Uyghur Muslims that the researchers believed were tied to the attacks Project Zero identified. Volexity’s post was based in part on a report by TechCrunch citing unnamed people familiar with the attacks who said they were the work of nation—likely China—designed to target the Uyghur community in the country’s Xinjiang state.
Breaking the silence
For a week, Apple said nothing about any of the reports. Then on Friday, it issued a statement that critics are characterizing as tone-deaf for its lack of sensitivity to human rights and an overfocus on minor points. Apple officials wrote:
Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.
First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they’re found. We will never stop our tireless work to keep our users safe.
One of the things most deserving of criticism was the lack of sensitivity the statement showed for the Uyghur population, which over the past decade or longer has faced hacking campaigns, internment camps, and other forms of persecution at the hands of the Chinese government. Rather than condemning an egregious campaign perpetrated on a vulnerable population of iOS users, Apple seemed to be using the hacking spree to assure mainstream users that they weren’t targeted. Conspicuously missing from the statement was any mention of China.
Nicholas Weaver, a researcher at UC Berkeley's International Computer Science Institute, summed up much of this criticism by tweeting: “The thing that bugs me most about Apple these days is that they are all-in on the Chinese market and, as such, refuse to say something like ‘A government intent on ethnic cleansing of a minority population conducted a mass hacking attack on our users.’"
The thing that bugs me most about Apple these days is that they are all-in on the Chinese market and, as such, refuse to say something like "A government intent on ethnic cleansing of a minority population conducted a mass hacking attack on our users." https://t.co/ACMhtpN53H
The statement also seemed to use the fact that “fewer than a dozen” sites were involved in the campaign as another mitigating factor. Project Zero was clear all along that the number of sites was “small” and they had only a few thousand of visitors each month. More importantly, the size of the campaign had everything to do with decisions made by the attackers and little or nothing to do with the security of iPhones.
Two months or two years?
One of the few factual assertions Apple provided in the statement is that the websites were probably operational for only about two months. A careful parsing of the Project Zero report shows researchers never stated how long the sites were actively and indiscriminately exploiting iPhone users. Rather, the report said, an examination of the five attack chains made up of 14 separate exploits suggested that they gave the hackers the ability to infect fully up-to-date iPhones for at least two years.
‘It didn’t happen the way they said it happened, but it happened, but it wasn’t that bad, and it’s just Uyghurs so you shouldn’t care anyways. No advice to give here. Just move along.’
Satire aside, Apple seems to be saying that evidence suggests that the sites that Google found indiscriminately exploiting the iOS vulnerabilities were operational for only two months. Additionally, as reported by ZDNet, a researcher from security firm RiskIQ claims to have uncovered evidence that the websites didn't attack iOS users indiscriminately, but rather only visitors from certain countries and communities.
If either of those points are true then it’s worth taking note, since virtually all media reports (including the one from Ars) have said sites indiscriminately did so for at least two years. Apple had an opportunity to clarify this point and say precisely what it knows about active use of the five iPhone exploit chains Project Zero found. But Friday’s statement said nothing about any of this, and Apple representatives didn’t respond to a request to comment for this post. A Google spokesman said he didn’t know precisely how long the small collection of websites identified in the report were operational. He said he’d try to find out, but didn’t respond further.
In a statement, Google officials wrote: “Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.”
A missed opportunity
Former NSA hacker and founder of the firm Rendition Infosec Jake Williams told Ars that ultimately, the time the exploit sites were active is immaterial. “I don’t know that these other 22 months matter,” he explained. “It feels like their statement is more of a straw man to deflect away from the human rights abuses.”
Also missing from Apple’s statement is any response to the blistering criticism the Project Zero report made of Apple’s development process, which the report alleges missed vulnerabilities that in many cases should have been easy to catch with standard quality-assurance processes.
“I’ll investigate what I assess to be the root causes of the vulnerabilities and discuss some insights we can gain into Apple's software development lifecycle,” Project Zero researcher Ian Beer wrote in an overview of last week’s report. “The root causes I highlight here are not novel and are often overlooked: we'll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users.”
Another key criticism is that Apple's statement has the potential to alienate Project Zero, which according to a Google spokesman has to date privately reported more than 200 vulnerabilities to Apple. It’s easy to imagine that it wasn’t easy for Apple to read last week’s deep-dive report publicly documenting what is easily the worst iOS security event in its 12-year history. But publicly challenging a key ally on such minor details with no new evidence does not create the best optics for Apple.
Apple had an opportunity to apologize to those who were hurt, thank the researchers who uncovered systemic flaws that caused the failure, and explain how it planned to do better in the future. It didn't do any of those things. Now, the company has distanced itself from the security community when it needs it most.
