"First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones 'en masse' as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community," the statement reads. "Google’s post, issued six months after iOS patches were released, creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised. This was never the case."
The company also disputed aspects of Google's timeline, saying that the malicious sites were operational for two months, rather than the roughly two years Google had estimated. Apple's statement also says that it had already discovered the vulnerabilities a few days before Google brought them to Apple's attention. "We were already in the process of fixing the exploited bugs," Apple says. The eventual patch went out on February 7 as part of the iOS 12.1.4 update.Apple did not, however, dispute the specifics of how the campaign worked. Researchers from Google's elite Project Zero security group identified five different exploit strategies the malicious sites could use to compromise iPhones running almost every version of iOS 10 through iOS 12. The sites, which had thousands of visitors per week, would assess victim devices and then infect them, if possible, with powerful monitoring malware. The attackers reportedly targeted Microsoft Windows and Android devices as well.
The Apple statement also doesn't contravene the central significance of the attacks. Security experts have long assumed that iPhone hacks primarily target very specific, high-value victims, because iOS vulnerabilities that can provide such deep system access to attackers are too rare and prized to risk revealing in mass campaigns. In this situation, though, attackers were using numerous valuable iOS exploits with abandon, shifting that established paradigm.
"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies," wrote a Google spokesperson in response to Apple's statement. "We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online."
As Project Zero laid out last week , the malicious sites took advantage of 14 vulnerabilities across five distinct exploit chains, a series of steps that exploit bugs sequentially to gain deeper and deeper access. Google's researchers found that the attackers focused on defeating the protections surrounding key, often-attacked areas of iOS. Seven of the bugs related to Apple's Safari browser. Five vulnerabilities were in the kernel, the operating system's core code. And the hackers exploited two distinct "sandbox escape" vulnerabilities, used to defeat protections against apps from interacting with other programs or data.