Apple plays down brutal iOS breaches
Breaking a few days of silence, Apple has finally come out with a garbled statement to downplay the iOS breaches Google disclosed earlier this week. As a reminder, Project Zero revealed a number of 'exploit chains' allowed an attacker near total control over an iPhone, triggered by simply visiting a malicious website.
Apple's statement weasels its way around the issues a bit here, so let's take a look at it:
First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
Let's review this piece by piece:
- Saying "narrowly focused" is a really misleading way to say indiscriminately targeting 11 million people with a splatter-shot attack that could infect any device.
- Focusing on the "dozen websites" is a nice way to downplay that a) thousands of people visited those websites and b) 12 websites is a lot of websites when your phones are being completely owned.
Onward to the next paragraph:
Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.
- Why does it matter that it was six months later? If anything, Google gave Apple time to say something publicly and it chose not to! OK then!
- Again, "mass exploitation" is being weaponized here to avoid the point! Saying it wasn't widely exploited, while an attacker was able to remotely, at random, dump the contents of an entire ethnic group's devices is... pretty disingenuous about the realities.
- "Stoking fear among all iPhone users" is a fair argument, but perhaps transparency would have helped here. Also, Apple's poor quality assurance/testing practices should have caught this—shouldn't we be worried it can't even keep track of half-implemented features?
Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
- Well, there were five exploits over the space of two years but this paragraph decided to ignore all of those and make it seem shorter.
- Oh, "we were already in the process of fixing the exploited bugs"—really? This seems hard to believe, even if it's true, especially given the secrecy around this.
- 10 days is a really fast turnaround, and Apple should be proud of that, true! In the end, it isn't really relevant, however, given that people were targeted, and apparently nobody can come up with solid numbers on how many.
- I'll give Apple this: Google is a competitor, and they're probably pissed off about the verbiage of the company's post, and how 'anti-Apple' it felt. But, Project Zero has always ruffled feathers like this because it exists to try and inform people about attacks, non-politically—an impossibility inside that competitor. Maybe Google should spin off Project Zero into a funded, separate entity, which might help.
As Motherboard reported today, a former security employee at Apple disagrees with the statement, saying that "the fact that the the attack was narrowly focused "doesn’t say anything about the security of iOS, merely about the restraint of Chinese attackers."
"There was nothing keeping the Chinese from putting their exploit(s) in an advertising iframe and paying Huffington Post to serve it. They could easily have compromised tens of millions of iPhones, but chose not to," the anonymous employee continued.
Instead of issuing this statement, perhaps Apple should have just hardened its operating system better? It feels like a lot of wasted breath, downplaying an issue and lobbing insults over the fence, where it could have instead seized the messaging here and said it didn't live up to customer expectations.
Samsung canceled all Galaxy Fold pre-orders—and gave each customer $250
That's one hell of a bitter-sweet piece of compensation, and probably will just trigger these people to re-order the new Galaxy Fold. My advice remains simple: don't buy first-generation anything.
Deepfakes, in which algorithms make it look like someone is saying or doing something that they never actually did, are a serious problem for the media (and all of us) going forward. How do you prove someone actually did or said that thing, if anything on film can be faked? This contest seems like a good idea, designed to try and find ways to detect these types of videos—the bad news is it only hired men to consult on this.
Must read: Apple made Siri intentionally deflect questions on feminism, Me Too, and much more
Tough day for everyone's favorite fruit company, which saw leaked documents about Siri's responses which were specifically re-written to deflect questions about what it saw as 'controversial' topics. A swing and a miss, where it could have made real change with its assistant—and a cause for concern about how it decides to make these responses up.
Speaking of Apple... the 2019 iPhone event is scheduled for Tuesday
The Verge has a good overview of the rumor mill, which I try to stay out of these days.