Apple users are still reeling from the shocking disclosure by Google’s Project Zero team that a number of “hacked websites” have been used to attack iPhones for two years. And every single up-to-date iPhone has been vulnerable. Now, two days later, those same 1 billion users face further damning revelations.
I reported the news on Friday [August 30], and said at the time that the clear implication is that the attack targeted a particular geographic or demographic, which, along with the clear sophistication and scale involved, points in the direction of a nation state sponsored threat actor.
Now, according to TechCrunch, “sources familiar with the matter have said that the websites were part of a state-backed attack—likely China—designed to target the Uighur community in the country’s Xinjiang state.”
The fact that a nation state is implicated in a mass targeting of Apple’s “locked down” devices against a section of its population, and seemingly escaped notice or censure for two years or more, is a devastating shock to the Apple community. If China can do this, then others can as well. And the solid sense of security has been shattered.
The news was disclosed just as Apple confirmed its September 10 launch date for the upcoming iPhone 11, and the scale of the revelations have put a massive dent in the usual gloss of its annual event. The nature of the hack also shines a light on Apple’s approach to software development and penetration testing and patching. And, to many’s surprise, the Cupertino giant has been found wanting.
As soon as Google disclosed that the hack “indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” the implication was that either China or Russia were likely targeting an ethnic minority within their respective domains.
And China was always the most likely culprit. The authorities in Xinjiang, where it’s reported that as many as 1 million members of the minority Muslim Uighur population are interred in “retraining camps,” have been at the forefront of the use of surveillance technology to monitor and oppress the population. This has included smartphone monitoring, facial recognition and citizen scoring.
TechCrunch cited a source claiming that “the websites also infected non-Uighurs who inadvertently accessed these domains because they were indexed in Google search, prompting the FBI to alert Google to ask for the site to be removed from its index to prevent infections.”
There have been no confirmations from Google or law enforcement that the sites did indeed target Uighurs, and some criticism that Google did not clarify any of this at the time of the disclosure. There are two reasons this would have been helpful. First, it would be a siren call to those potentially impacted to check their devices, change passwords and watch for compromises. Second, it would ease the concerns of the majority of the 1 billion iPhone users who—as things stand—could have been hit by the attack. Yes, only “thousands a week” were attacked. But which “thousands?”
“There was no target discrimination,” Google said of the hack, “simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.” In a heartbeat, the researchers had pricked the bubble of Apple’s supposed security superiority.
Google’s research team “was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.”
For those whose devices were infected, “the attackers were able to get highly privileged access to core parts of the iPhone operating system.” An attack could access photos and messages, steal login credentials and banking passwords, even access location information. And those passwords could have stored in the system, not scraped as a website was being accessed.
Now we are being steered in the direction of the Uighurs, the reference to location information has added significance. We know from multiple data breaches from Xinjiang, that the authorities are tracking the locations of the population.
Despite this narrowing down of the attack, Apple still has the problem that this will undermine confidence in the security of the brand. So severe is this disclosure, so damaging and intrusive the nature of the vulnerability, that it will leave users asking questions about how such a serious range of flaws could have been left open.
The other two question this raises, of course, are that if these exploits were in place for two years before being found, what else is out there that we don’t yet know about? And was there any similar hack in place that targeted Android devices that either hasn’t been found or hasn’t been disclosed?
More serious questions. Still a dire lack of serious answers.