Pixel Envy

Written by Nick Heer.

Archive for September 6th, 2019

Don’t Speak

The more I’ve thought about Apple’s statement regarding the iOS exploit chains discovered last week, the more bizarre it seems. In short, I do not understand why Apple felt it necessary to issue a news release at all, and I’ve no clue why this is the release they went with. Let’s start with the first paragraph:

Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.

Apple’s use of the word “blog” here seems pejorative — an insinuation that this multipart highly-technical explanation should be taken less seriously because of its publishing medium. Should Google have published this information in a book? Would it matter if the explanation were not hosted on Blogspot? I don’t think so, but Apple’s statement seems to imply that I should care.

The next two paragraphs need to be examined together:

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.

Google’s explanation can be misread, but it is not wrong.

The iPhone is assumed to be the most secure consumer device on the planet — nothing revealed in the past week actually changes that. But because of its reputation and its widespread use by higher-value targets — celebrities, politicians, businesspersons, and the like — the market for iOS security breaches is booming. Exploits that require little to no user interaction and rely upon so-far-undisclosed vulnerabilities have long been associated with targeting specific users in a truly clandestine fashion.

The series of exploit chains Google wrote about are entirely different. They’re comprehensive — they span multiple major and minor versions of iOS. They’re targeted to surveil an entire persecuted group of people, which makes them far more exposed than specific user applications but not as indiscriminate as a computer virus. Make no mistake: this was an exploitation deployed “en masse”, exactly as Google says.

Apple’s acknowledgement that users would be exposed only if they visited one of “fewer than a dozen websites” is a little misleading as well. Those websites, Google estimates, served thousands of users per week.

Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

Whether these websites were active for months or years seems to be confused by the context of Google’s explanation:

TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.

The way this is written makes it sound like Google has extrapolated the time that these websites were operational from the version numbers of iOS. Apple doesn’t provide any source for their assertion that they were live for two months, other than “all evidence” — which, sure, but what evidence? Whatever it may be, it doesn’t seem to be available publicly.

The last paragraph is an acknowledgement that software security is a constant chase, and that neither the bugs nor the patches will stop. That’s fine; it’s probably the most straightforward paragraph in the entire release.

And that’s it — that’s the release in summary. The only new information in its five paragraphs is a slightly more accurate number of affected websites and the controversy of whether the attack was running for two months or two years. But those new details are not as relevant as the number of visitors who may have been affected, and making an estimate is still a fraught exercise. If we take the lowest possible figures that we can extrapolate from “thousands of visitors per week” (1,000), two months (or about nine weeks) of operations, mobile share of web browsing in China (about 60%) and Chinese iOS market share (about 20%), we’re left with maybe a thousand exploited iPhones.1

But, again, this is a not-particularly-useful estimate, and I won’t vouch for its accuracy. I put it out there only as a guess about how many devices may be affected by an authoritarian government’s relentless surveillance of Uyghurs worldwide. So, I return to my original question: why did Apple issue this statement?

As both Apple and Google acknowledge, these bugs were patched six months ago, so there is little ongoing customer risk from these websites. Neither company has disclosed which websites were spreading these exploit chains, however, so it’s impossible to say whether your iPhone is likely to be affected. Apple’s disputes seem to be about little more than language choices.

John Gruber points to a story by Thomas Brewster of Forbes as one possible reason. Google’s report only covered iOS vulnerabilities, but Brewster says that the same websites also distributed exploits for Windows and Android systems. The final paragraph in Apple’s statement seems to hint at this possibility:

[…] iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. […]

I suppose that’s one possibility, but I’m not convinced.

An argument like Rhett Jones’ of Gizmodo also doesn’t seem quite right:

Cutting through the corporate-speak in that statement, it is important to acknowledge that the Project Zero crew does great work, and there’s no reason to believe that their work is motivated by malice. It’s also worth emphasizing that Apple’s reputation for making secure products has been earned by making secure products. What’s at issue here is who will have the best reputation for security in the future, and the answer is up for grabs.

I don’t see how Apple gains anything by pushing a nonsense statement on a Friday afternoon when they are preparing to unveil new iPhones, Apple Watches, and other devices on Tuesday. Their statement says nothing, but it does remind people of a reputational failure. Why not, instead, demonstrate a commitment to security during the product launch?

I am certain that Apple’s public relations people are much smarter than I am. I’m sure they have a reason for this release. I just can’t fathom what it is, nor can I understand why this is the statement they went with. If Apple did not want to engage with the troubling abuse of their platform to help surveil Uyghurs — and I think they should have, for what it’s worth, but I understand the economic risks of speaking up against the Chinese government — why not issue a succinct release solely about security? One that acknowledges Google’s findings, reminds users that these bugs are patched, reiterates the importance of software updates, and includes a commitment to maintaining device security. That explanation meaningfully helps reassure customers that apparently contacted Apple with concerns, even if the company can’t tell them the likelihood of their device being affected.

One cogent paragraph beats five mediocre ones most of the time, but demonstrating beats telling every single time.


  1. While there are Uyghurs worldwide, the overwhelming majority live in China, so that is why I’ve used those figures for mobile browser usage and iOS market share. Again, this figure is a wildly inaccurate estimate, but it’s the closest I could come up with given public data. ↩︎

Apple Responds to Concerns About iOS Security After Uyghur Targeting

From the statement:

Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.

A blog is a collection of blog posts.

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.

In the first couple of years of the iPhone’s availability, users simply needed to tap a link on a webpage to jailbreak their device. Even though it was an elegant solution, there was still a nagging feeling that this mechanism could be easily abused.

Apple patched the affected vulnerabilities, of course, but it is an ongoing battle — particularly with JavaScript engines that run far closer to the CPU and GPU than they used to.

As far as I know, nobody has yet published a list of the websites affected, but I imagine they’re highly targeted. That is, even though anyone could have accessed them, that doesn’t mean every iPhone user is equally vulnerable or a likely victim.

Update: Ryan Mac of Buzzfeed News reports that this attack campaign originated in China. Apple and Google have so far skirted that aspect of the story.

Update: Michael Tsai thoughtfully disputes Apple’s downplaying. Regardless of scale, I think Bruce Schneier explained very well the way in which these findings change how we think about zero-day vulnerabilities.