9 Sep 2019

Google and Apple in spat over cyber attack

11:09 am on 9 September 2019

Last week Google disclosed a large-scale hacking effort that it said targeted users of Apple devices but now the latter has gone on the attack.

No caption

Photo: 123RF

Apple has said it was a stitch up but Google is standing by its research.

In a statement posted on Friday, Apple took issue with Google's characterisation that this was a broad attack on all iPhone users.

"Google's post, issued six months after iOS patches were released, creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised.

"This was never the case."

Apple's upset at what was omitted from the Google Project Zero team's report.

"The sophisticated attack was narrowly focused, not a broad-based exploit of iPhones 'en masse' as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur [a minority Turkic ethnic group in China]," Apple's statement said.

Android affected

This perspective is backed up by independent research from Volexity, a cyber-security firm based in Washington DC. It published a report earlier this month looking into the same threat, and stated unequivocally that Uighurs were the target - detailing 11 websites that had been used to carry out the attack.

Most notably, the Volexity report states that as well as Apple's iOS, Google's own mobile operating system, Android, was also targeted - a detail that was missing from Google's research.

Google insists it did not know Android was affected - but it is well aware how it looks.

Tim Willis, a researcher on the Project Zero team, wrote in a tweet that Google's Threat Analysis Group "only saw iOS exploitation on these sites when TAG found them back in Jan 2019 (and yes, they looked for everything else as well)".

Independent researchers spoken to by the BBC are mostly giving Project Zero the benefit of the doubt on. It's a highly respected group in the cyber-security space, and has not been seen as some kind of weapon against Google's rivals.

"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies," a spokesperson said.

"We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online."

Questions remain

There was no mention of China in Project Zero's research, and a spokesman on Friday would not say if Google had known the Uighurs were being targeted.

But researchers said they had identified various web addresses affected. One of the URLs was quite clearly a news site aimed at Uighur readers.

Questions also remain for Apple.

If, as claimed in its statement, Apple knew about the iOS flaw before Google informed them, why did they not properly inform their users?

And Apple, like Google, won't say if they think Beijing is directly responsible.