Last week, Google’s Project Zero security research team posted information about a serious vulnerability in iOS. The security exploit (or group of exploits, really) allowed a “small collection of hacked websites” that would, when visited, install code to monitor certain activity on the iPhone.
The security holes were patch in iOS 12.1.4 on February 7, 2019, and there were even news reports right after the patch about the security holes that were closed. The sites that exploited the vulnerabilities were targeting an ethnic minority in China—the Uighur—and also sought to exploit holes in Android and Windows.
Apple has taken umbrage with the recent report, calling it out not for its technical inaccuracy, but for misrepresenting the scope and scale of the security flaw and the way it was exploited. In a statement issued on September 6, the company said, “We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.”
Apple goes on to detail two ways in which it feels the report was misleading. First, the report says it will, “share these insights into the real-world workings of a campaign exploiting iPhones en masse.” Apple says the attacks were anything but “en masse” and only represented a few dozen websites targeting the Uighur minority community in China. Apple says this misrepresentation caused the hundreds of millions of iPhone users around the world to feel that they were compromised, when that was never true. “Regardless of the scale of the attack, we take the safety and security of all users extremely seriously,” Apple concluded.
Second, the websites were operational for only about two months, while the report gives the impression that iPhones were being hacked for two years. While the vulnerability may have been present in iOS for two years, it was only found and exploited among this narrow community for a short period.
Apple claims that it fixed the exploits within 10 days of learning about them, and that, “When Google approached us, we were already in the process of fixing the exploited bugs.”
The short statement concludes by reassuring users that Apple takes security extremely seriously:
Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they’re found. We will never stop our tireless work to keep our users safe.