Friday, September 6, 2019

Apple Responds to Project Zero

Apple (Hacker News):

Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February.

“A blog,” rather than “a blog post”? I love how Apple is subtly trying to discredit Project Zero by implying that it’s a mere blog. And let’s be sure everyone knows it’s affiliated with Google, the privacy bad guys, even though it’s a responsible, technically focused group. Of course, the quote you’re reading is not from a blog by Apple PR. It’s an “Apple Statement.” From the Newsroom. Which has an RSS feed, like blogs do. (Though the feed isn’t discoverable from the statement page.)

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described.

Project Zero literally referred to “a small collection of hacked websites” that received “receive thousands of visitors per week.” And it does seem like a particular subpopulation was targeted “en masse.” The sites in question were on the public Internet; it wasn’t links being sent to target particular individuals. Apple is blaming the messenger for things it didn’t even say.

The attack affected fewer than a dozen websites that focus on content related to the Uighur community.

Oh, I get it. Most people would consider “fewer than a dozen” to be “a small collection.” But in Apple-speak, there were “a small number” of corrupt App Store binaries causing crashes, and “a small number” of MacBook Pro users experiencing butterfly keyboard problems, not to be confused with the “very small number” of iPhones that unexpectedly shut down. So, yeah, I can see why Apple wants people to know that this “small collection” doesn’t mean “millions.” Although there are apparently 10 million Uigurs in China…

Google’s post, issued six months after iOS patches were released[…]

It’s great that Project Zero reported this in a responsible way, because now we can downplay it as old news.

Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies.

I’m not sure how they know that there weren’t other sites than the ones they considered. Why would someone go to the trouble of targeting iOS 10.0.1 separately from iOS 10.3—or even target iOS 10 at all—if the attack was only for two months in 2018 (after iOS 12 was out)?

We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

Apparently, this is because they were tipped off by the FBI first, but mentioning that would make this seems more serious than Apple wants. This way they get to pretend that they’re smarter than Google.

Overall, an odd response from Apple. Maybe this is really smart PR before the big event next week. But, from my perspective, it is not a good look.

Lorenzo Franceschi-Bicchierai:

I’ve never seen a more smug statement after a breach. Let’s remember that this affects a minority that is actively being suppressed and effectively annihilated by the Chinese government. Perhaps dismissing the gravity of the hacks is not the best approach.

Daniel Sinclair:

This is trash. The us vs them is just gross and disingenuous. Project Zero is doing all of us a service, and Apple PR should be embarrassed for having written this.

Ryan Mac:

In a blog post, the iPhone-maker took issue with some of the findings released by Google researchers[…]

“A blog post”!

In a response Friday, a Google spokesperson said the company stood by its research, “which was written to focus on the technical aspects of these vulnerabilities.”

John Gruber:

Reading between the lines here, what Apple is pushing back on is the fact that Google’s report on this attack against the Uyghur community only mentioned iOS. […] Conspicuously unmentioned in Apple’s response: “China”.

Of course, Project Zero does also publish blogs about Android exploits. And nothing is stopping Apple’s security team from publishing a blog about Android.

Zack Whittaker:

One of the sources told TechCrunch that the websites also infected non-Uygurs who inadvertently accessed these domains because they were indexed in Google search, prompting the FBI to alert Google to ask for the site to be removed from its index to prevent infections.

Bruce Schneier:

This upends pretty much everything we know about iPhone hacking. We believed that it was hard. We believed that effective zero-day exploits cost $2M or $3M, and were used sparingly by governments only against high-value targets. We believed that if an exploit was used too frequently, it would be quickly discovered and patched.

None of that is true here. This operation used fourteen zero-days exploits. It used them indiscriminately. And it remained undetected for two years.

Previously:

Update (2019-09-06): I’m still fascinated by the “fewer than a dozen” phrasing. Surely, Apple would want us to know if it were fewer than ten, i.e. single digits. So the number is likely ten or eleven, yet they didn’t want to say the exact number. And I don’t think the number of sites is actually that important. A single popular site would be worse than many small ones. The number that matters is how many people were affected, and it’s likely not small. Yet this is the lead “fact” that Apple wanted to communicate.

It’s also worth noting that this response dropped on a Friday, and that it doesn’t include a link to the post it’s critiquing, or mention its title or author. So if you don’t actually read it for yourself, you’re left with the implication that it was some sort of dishonest corporate smear campaign.

See also: MacRumors, The Verge, Zeynep Tufekci.

Lorenzo Franceschi-Bicchierai:

A former Apple security employee criticized the company’s reaction and its statement, saying it was misleading. For example, the former employee said, the fact that the the attack was narrowly focused “doesn’t say anything about the security of iOS, merely about the restraint of Chinese attackers.”

“There was nothing keeping the Chinese from putting their exploit(s) in an advertising iframe and paying Huffington Post to serve it. They could easily have compromised tens of millions of iPhones, but chose not to. As a result, we didn’t find out about these attackers for years,” the employee, who spoke on condition of anonymity, said.

Josh Centers:

I don’t care a whit for the drama at play here. Bottom line: iOS isn’t nearly as secure as Apple led us to believe.

Here’s the thing: Apple took away a lot of freedoms in exchange for two promises:

  1. No junk apps.
  2. No major security isssues.

Apple is not upholding their end of the bargain.

Update (2019-09-07): Nick Heer:

So why did Apple respond to that Project Zero disclosure anyway? The researchers stated that the exploits had been patched months ago. Apple offered no new information in their statement. What was the point?

I think it’s because some of the reporting sensationalized Project Zero’s work and didn’t make it clear that the patches were already in place. Apple chose to attack Google, rather than the media responsible for that coverage.

That might also have been avoided if Apple had kept its own customers informed about its products, instead of leaving its competitor to disclose the biggest security incident in iOS history. Now, every time Apple touts how secure its stuff is, you have to wonder whether there are more incidents like this that they are hiding from you, which is a shame because I think they’re doing a pretty good job with the actual security work.

Alex Stamos:

Apple’s response to the worst known iOS attack in history should be graded somewhere between “disappointing” and “disgusting”.

First off, disputing Google’s correct use of “indiscriminate” when describing a watering hole attack smacks of “it’s ok, it didn’t hit white people.”

[…]

Even if we accept Apple’s framing that exploiting Uyghurs isn’t as big a deal as Google makes it out to be, they have no idea whether these exploits were used by the PRC in more targeted situations. Dismissing such a possibility out of hand is extremely risky.

[…]

Third, the pivot to Apple’s arrogant marketing is not only tone-deaf but really rings hollow to the security community when Google did all the heavy lifting here.

[…]

Apple does some incredible security work, but this kind of legal/comms driven response can undermine that work.

Update (2019-09-09): James O’Leary:

mind-boggling own goal to bring this up, unprompted, days later, much less pick a fight with project zero, that never ends well

Something seems up with Cook the last year or so, this + the Spotify response were obfuscatory, unnecessary, and reeked of defensiveness

Om Malik:

I read Apple’s response, which was clearly very defensive. While I dismissed Google’s efforts as a chance to puncture Apple’s privacy blimp (Google is really good at shifting attention away from its own dirty privacy tricks), but Apple’s statement is what has raised some red flags for me. What are they not telling us? And why are they telling us now, so long after the fact? Why not come clean earlier?

Nick Heer:

The series of exploit chains Google wrote about are entirely different. They’re comprehensive — they span multiple major and minor versions of iOS. They’re targeted to surveil an entire persecuted group of people, which makes them far more exposed than specific user applications but not as indiscriminate as a computer virus. Make no mistake: this was an exploitation deployed “en masse”, exactly as Google says.

Apple’s acknowledgement that users would be exposed only if they visited one of “fewer than a dozen websites” is a little misleading as well.

[…]

Neither company has disclosed which websites were spreading these exploit chains, however, so it’s impossible to say whether your iPhone is likely to be affected. Apple’s disputes seem to be about little more than language choices.

[…]

Their statement says nothing, but it does remind people of a reputational failure. […] If Apple did not want to engage with the troubling abuse of their platform to help surveil Uyghurs — and I think they should have, for what it’s worth, but I understand the economic risks of speaking up against the Chinese government — why not issue a succinct release solely about security?

Matt Blaze:

Aside from everything else, using PR to minimize the significance of discovered vulnerabilities is number one on my list of things that make me trust a vendor’s products less. The response to a flaw tells us far more about the security of a product than the flaw itself.

Alex Stamos:

The time-to-patch tells you something about the security and engineering teams. The PR response teaches you about the exec suite.

David Heinemeier Hansson:

This is also a classic case of Apple taking the wrong token. They went with “it’s no big deal” when they should have gone with “it’s the end of the world”. They could have asked @gassee, who used to run Apple France, for a primer on this concept.

Update (2019-09-10): See also: Slashdot.

16 Comments RSS · Twitter

Stunning.

And perfectly ON POINT, @mjtsai. I am hoping that Tim Cook is at his desk, right now, with his face in his hands, having just read your “published… blog”. It needed said, just like you did.

[…] Michael Tsai thoughtfully disputes Apple’s downplaying. Regardless of scale, I think Bruce Schneier […]

When in China (*), do as the Chines do (**)."

* to produce your devices
** state this is not a big issue.

Now now Michael, don’t turn into *me*, nor get me started about persistent security bugs between “Group FaceTime”, Messages and SIRI Shortcuts that I keep noticing in iOS 12.

Posting or publishing a blog has changed its meaning to refer to a blog post in popular usage many years ago. It’s a pet peeve of mine, but I don’t think that particular part can be counted as an attempt to discredit Project Zero.

@Peter Can’t say that I’ve seen it used that way. I have seen people refer to podcast episodes as pods. Is it perhaps a regional thing?

Sören Nils Kuklau

Can’t say that I’ve seen it used that way.

Nah, it’s not unusual. (And it’s equally weird as “a pod”.)

But I think your point holds true. Apple PR tends to word things carefully (as misguided as this entire PR statement seems to me, I doubt they wrote it out on a whim), so they probably knew exactly what they were doing by calling it “a blog”.

Did Apple patch these security bugs in older version of iOS for people whose hardware doesn't support the newest? No. They never do. Shameful.

[…] Tsai raises further questions about the way Apple framed its statement: “A blog,” rather than “a blog post”? I love how Apple is subtly trying to […]

>The attack affected fewer than a dozen websites that focus on content related to the Uighur community.

How do they know that?

@Lukas Right, as Stamos said, I don’t think they actually do know that. How could you even prove that no one did that?

This topic feels like a good opportunity for a periodic reminder that — as late as this year — Apple were selling refurb iPod Touch models with an A5 chip, maxed out at iOS 9.

Even today, their refurb store is full of 6th-gen models with an A8 that will no longer be supported next week: https://www.apple.com/shop/refurbished/ipod

[…] at Michael Tsai, BuzzFeed, John Gruber, TechCrunch, MacRumors, The Verge, Zeynep […]

[…] at Michael Tsai, BuzzFeed, John Gruber, TechCrunch, MacRumors, The Verge, Zeynep […]

[…] Apple Responds to Project Zero […]

Leave a Comment