Late last Thursday, Google security researchers dropped a bombshell: Someone had launched a sustained attack against iPhone users that compromised their devices almost instantly when they visited certain websites.
The campaign forced a fundamental shift in how security professionals think about iOS. And now, after a week of silence, Apple has finally given its side of the story.
In a brief statement, Apple confirmed that the attacks had targeted China’s oppressed Uyghur Muslim community, as had previously been reported. But the statement also called out multiple points of contention with how Google characterized the attack.
Moreover, the company also disputed aspects of Google’s timeline, saying that the malicious sites were operational for two months, rather than the roughly two years Google had estimated. Apple’s statement also says that it had already discovered the vulnerabilities a few days before Google brought them to Apple’s attention. “We were already in the process of fixing the exploited bugs,” Apple says.
Apple did not, however, dispute the specifics of how the campaign worked. Researchers from Google’s elite Project Zero security group identified five different exploit strategies the malicious sites could use to compromise iPhones running almost every version of iOS 10 through iOS 12. The sites, which had thousands of visitors per week, would assess victim devices and then infect them, if possible, with powerful monitoring malware. The attackers reportedly targeted Microsoft Windows and Android devices as well.
The Apple statement also doesn’t contravene the central significance of the attacks. Security experts have long assumed that iPhone hacks primarily target very specific, high-value victims, because iOS vulnerabilities that can provide such deep system access to attackers are too rare and prized to risk revealing in mass campaigns. In this situation, though, attackers were using numerous valuable iOS exploits with abandon, shifting that established paradigm.