A week later, Apple responded to Google's report on a serious security problem affecting iOS, the operating system of iPhones, potentially putting the security of many users at risk. Apple did not deny some of the conclusions that Google's IT experts had arrived at, but it still accused the company of “fueling fears among all iPhone owners” by passing the message “that their devices had been hacked”, omitting some details that would have made the conclusions less worrying.
Last week, Google's Project Zero cybersecurity blog published a series of posts detailing a major organized cyberattack exploiting flaws in iPhones. To carry out the attack, it was sufficient for users to visit some sites, on which code was installed to exploit the security holes. Google claimed that the attacks had been going on for a couple of years, on sites visited every week by thousands of users.
After carrying out some internal checks, on Friday 6 September Apple published its own statement, claiming that the attack did not affect a large number of iPhones as written on Project Zero: “The attack affected a few dozen sites, with content dedicated to the community of the Uighurs ”, the Islamic minority living in the north-west of China and which has been subjected to severe repression by the Chinese government for some time. Apple further explained that the data collected shows that the attacks had been conducted for a short period of time: “about two months, and not two years as instead suggested by Google”.
The vulnerability was fixed by Apple last February, about ten days after it learned of it. The company further explained that its technicians were already working to resolve the situation when it received the report on the problem from Google. Apple does not even seem to have liked the fact that in the first posts Project Zero did not mention a similar problem concerning Windows and Android, the smartphone operating system whose main version is developed by Google itself.
After the release of the press release, Google responded to Apple with its own message, recalling that Project Zero deals with research and analysis of IT security problems, without ulterior motives compared to making the devices we use every day more secure. The company has confirmed that it intends to continue working with Apple and other companies in the sector to reduce the risks associated with cyber attacks.
Several observers have noticed an excessively aggressive tone on the part of Apple, and which could prove to be counterproductive for the company, especially on such a delicate issue. As the tech site TechCrunch demonstrated a few days ago, the sites modified to exploit a flaw in the iPhone operating system (iOS) were probably part of a cyber attack organized by the Chinese government against the Uighurs. The goal was to gain access to their smartphones, in order to steal information to be exploited as part of their communities' repression programs. China had previously employed various strategies to spy on Uighur communications, as reported by a CNN article. The “few dozen sites”, as they have been defined by Apple, dedicated to Uighurs were enough to get visits from thousands of community members and potentially spy on their activities.
