Apple today released a rebuttal to the security vulnerabilities that Google detailed in depth last week and called it “one of the largest attacks against iPhone users ever.” The iOS maker took issue with several key points, but Google is standing by its works.
In February, Google’s internal security teams made Apple aware of 14 vulnerabilities across five exploit chains that were used to compromise visitors of hacked websites and install a “monitoring implant.” Google did not specify the target, but alluded to these exploits, allowing for the “capability to target and monitor the private activities of entire populations in real time.” Apple today cited the Uyghur community, giving credence to a TechCrunch report earlier this month that pegged China as the responsible party.
Apple does recognize the “sophisticated attack,” but believes it was “narrowly focused” and only “affected fewer than a dozen websites.” Google said as much — previously describing it as a “small collection of hacked websites” — but estimated thousands of visitors per week.
Google’s security researchers believe that the overall “sustained effort to hack the users of iPhones in certain communities” lasted two years. Apple specifies that the “website attacks were only operational for a brief period, roughly two months.”
In a statement to the Verge, Google stands by the research and emphasizes the technical aspect. Apple today seemingly took issue with the analysis coming six months later.
Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research, which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.