Google has a team of white hat hackers whose job is to uncover security flaws in widely used tech. This team known as Project Zero discovered a flaw in iOS, the team alerted Apple on February 1, 2019 , and Apple released a patch a few days later on February 7. Project Zero didn’t publish anything about the security flaw until late august.
Had Google’s Project Zero not published the report, it’s very likely the general public wouldn’t know the vulnerability had ever existed. In some cases, that may not matter, but this time, it came out that China was exploiting the vulnerability. The Chinese government was using the flaw in iOS, and flaws in Android and Windows to spy on Uyghurs, a group China has been putting into “reeducation camps”.
Apple in over six months neglected to publish anything explaining the nature of the vulnerability. But in just a few short days after Google’s post, was able to publish the most tonedeff press statement I have ever seen. Apple accused Google of, exaggerating the length of time the hack occurred and “stoking fear among all iPhone users that their devices had been compromised”
It seems true that the hack only lasted a few months, but the flaw in the security lasted for two years at least. In the future, Apple, if you wanted to set the record, you can publish an announcement of any flaws, along with the ways and extent they are exploited.
My (least) favorite part of the Apple statement reads, “The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.”
It’s appears true, only a small number of people visiting websites related to Uighurs were impacted. However, at least some in the targeted group, have been put into forced labor camps by a nation with a terrible human rights record. The damage done by Equifax’s poor security has nothing on the harm from Apple.
The apple statement ends with, “Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they’re found. We will never stop our tireless work to keep our users safe.”
Well, Apple, you missed a vulnerability for two years. So I’m not sure this is the time to brag about your world class security. Also do you really think knowing that “Security is a never-ending journey” will be somehow comforting to the impacted group?
The silver lining to this cloud was the moment of unity among tech reports. For one small moment in time everyone was able to join together in saying Apple shouldn’t have click publish.
My opinions normally put me solidly in a small, and silent minority. It was nice to watch nearly everyone, all for a short time, agree. I was in the majority and that majority, was — at risk of a No true Scotsman fallacy — everyone with any knowledge of the situation at all. The big points go to Alex Stamos, who put of both an amazing Twitter thread, and the corrected version of the Apple PR statement.