https://googleprojectzero.blogspot.com/2019/08/a-very-deep-d...

"Earlier this year Google's Threat Analysis Group (TAG) discovered a small collection of hacked websites."

"We estimate that these sites receive thousands of visitors per week."

"TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years."

Google was responsible in identifying estimated scope. They didn't say it was widespread or impacting millions of devices. And that there are vulnerabilities of 2 years worth of iOS versions is pretty reasonable evidence that this has been a 2 year project.

Meanwhile Apple's counter-claims sound like pure damage control with no supporting evidence. They claim it was only operational for 2 months. Yet they provide no justification or evidence for that claim. They are in no position to monitor what happens on the web as they don't crawl it, and don't even attempt to explain why there would be exploits for 2 years of OS versions if this was only operational for 2 months.

But I'm not seeing any reason to believe Google was anything but responsible in its disclosure, nor that they sensationalized it in any way.

I agree. Google provided ample evidence why they believe the websites must have been exploiting phones for about 2 years (https://1.bp.blogspot.com/-97vEtS5TpiM/XWfds8hYAyI/AAAAAAAAN...). Meanwhile Apple appear to be playing down the severity of all this with zero evidence.

Chain 1: iOS 10 launched 13 Sep 2016 and 10.1.1 lost relevance when 10.2 was launched on 12 Dec 2016

Chain 2: iOS 10.3 was launched 27 Mar 2017 and lost relevance when iOS 11 was launched on 19 Sep 2017.

Chain 3: iOS 11 was launched 19 Sep 2017 and lost relevance with the release of iOS 11.4.1 on 9 July 2018

Chain 5: iOS 11.4.1 was launched on 9 July 2018 and worked until the release of 12.1.3 on 22 Jan 2019.

Chain 4: iOS 12 was launched 17 Sep 2018 and worked until 12.1.1 which was released on 5 Dec 2018.

The span of dates during which a particular version of iOS was the latest release does not necessarily mean that exploit chain was active contemporaneously. I can think of several reasons for someone to be unable to upgrade to the latest version of iOS, requiring an attacker to maintain and deploy exploit chains for multiple versions of iOS simultaneously.

1) Apple has historically dropped support for older iPhones with each new iOS major version.

2) Users who jailbreak tend to refuse to update until a jailbreak emerges for the new version.

3) Some users are slow to update

4) Some users might just refuse to update

Because of this reasoning I find it plausible that Apple only has evidence that the exploit chains were active for only two months and that the attacker chose to deploy the five chains for only two months. I do not find Google's chart insightful for understanding this attack.

Also, note that the exploit used in chain 4 was unpatched when Google discovered it. It looks like the reason it doesn't support newer iOS versions is because they abandoned it in favour of the cleaner chain 5, which entirely obsoletes it in terms of versions and devices targeted. Just this pair of exploits alone suggest that the attack was live in the wild for at least a year.

In theory I suspect that most recent exploit could be backported to cover all the iOS versions covered by all the other exploits too (and some they missed) but they just didn't bother.

I guess Apple could go back and look at their crash report telemetries to determine when the exploits were active. Google doesn't have that type of historical data for iOS devices. Of course there were no mentions of that as evidence.

E.g. once an exploit is detected by Apple, you might as well use it. Or an exploit that only relevant to an iOS version with low install base - just use it.

My thought was that they could be to target old versions, even if the site is new, but if the new exploits work on old versions that seems unlikely (though it could be to limit the exposure of the new zero-day - fingerprint an old version, present an old exploit - but if the exploits are new, that seems like a lot of work for next-to-no benefit).

That would make a lot of sense if we were talking about Android but how many iOS devices are still on iOS 10? Apple's stats show 97% of devices are iOS 11+ ( https://developer.apple.com/support/app-store/ ). It seems rather unlikely that someone would invest in finding & weaponizing a zero-day exploit against iOS 10 for less than 3% of users. Possible, sure, but Apple's claims needs evidence here.

I don't think that's Google's job at all, especially for a competitor's product.

Their project is to identify security vulnerabilities and disclose them to the public, in the name of public interest. We always have to assume worst case for security vulnerabilities, it's kind of the whole job of being a security researcher to determine what could have happened. Their job isn't to make Apple's users feel better.

It's also not Google's fault that media known for being wildly off-base when reporting on technical news was predictably off-base again.

To be credible, it would be especially true for a competitors product. If you're even remotely insinuating that they can or should go softer on themselves than others, they're 100% not credible, and that would only make Apple's stance that much more legitimate. If they aren't at least as tough on themselves - and they should probably be tougher on themselves than others - it's just a marketing team.

But I do think they have that responsibility. Disclosing flaws and vulnerabilities for consumer use cases requires nuance and less "just the facts, ma'am" otherwise you're actually doing more harm than good.

The stories will be blown out of proportion, and the world will go numb to them. Because the little, low impact issues are constant background noise - when they get blown out of proportion and 0.000001% are affected, and 90%+ were patched 6 months ago, all this does is contribute to the noise, and doesn't improve the signal.

At this point, I don't think it matter much to the typical consumer. Both camps have their fair share of zealots, and short of a press release stating something horrific, most people don't care to switch to the other side. iOS users claim superiority for their device features like iMessage, cameras, and UX, while Android users pretend like their device is for the technologically enlightened.

Credibility in a report like this is a non-issue for most users. It's not about responsible disclosure, facts, and the truth. It's about marketing.

It's funny how their public interest seems to stop at the line where Google looks good and their competitors look bad.

I would say that their public interest mission should include not inciting unnecessary mass panic by exaggerating claims or by using imprecise language that would allow the media to make exaggerated claims.

You know, like how they use much more toned down rhetoric when releasing info on Android bugs.

Maybe this sensationalism furthers the public interest by turning software security into a weird zero-sum game where every company is trying to break their competitors products. But I can also see how cases like this creat a negativity that prevents companies from collaborating to fundamentally improve security.

The security community works like this (public responsible disclosure), _because_ companies overwhelmingly proved that they couldn't be trusted to collaborate with security researchers.

That’s not what the Apple press release says. It says that it took them 10 days from when they learned about the bugs until they had “resolve[d] the issue” (fix implemented? released?).

Presumably Google contacted them sometime in between when Apple first learned about the bugs and when they finished fixing them.

This isn't a Maybe. Narrowing in on the statement of fact "where every company is trying to break their competitors products," query Ben Hawkes of Project Zero for an exact quote, but this about 100% lines up with it.

Here's one: https://www.vice.com/en_us/article/mbmgqp/this-is-worst-year...

The general population is completely burnt out about security stuff -- they hear about their bank getting hacked and releasing all their records like twice a year now. No one "panics" over that anymore either. This is no different, if they'll even be able to recall them being separate events a year from now.

https://arstechnica.com/information-technology/2019/09/andro...

Waiting for the patch to come to my devices...

And the 5 post write up on the PZ blog.

Security with mobile devices is definitely a don't throw stones in glass houses situation.

And in the past they've definitely written posts on issues that only affect Android (as far as mobile goes), like their super deep dive into remote broadcom wireless exploits.

https://googleprojectzero.blogspot.com/2017/04/over-air-expl...

> A partial list of devices which make use of this platform includes the Nexus 5, 6 and 6P, most Samsung flagship devices, and all iPhones since the iPhone 4.

I think that any level of care they would take in describing the impact of a flaw in their own product, ethically, the same level care must be taken when describing the impact of security flaws in a competitor’s product.

Otherwise this goes from white-hat to grey-hat hacking, and it serves to undermine the stated goals and intentions of Project Zero.

If they want security professionals to pay attention to them, it is.

I accept that maybe P0 just didn't carefully think through what they were saying; they've been straight shooters in the past. But the definitely gave both a misleading impression about the situation they described _and_ downplayed other risks.

If that keeps happening, I (for one) will end up treating them more like Oracle's security/marketing department. And that would be a serious loss, because P0 has been doing really good work.

I don't think you quite understand why Google Project Zero team exists in the first place. Their job is to make the world a more secure place. They seem choose whatever they want to work on to maximize their impact on the world –ranging from Intel processors to iPhones to some first party technologies like Chrome.

> Project Zero's mission is to make 0-day hard. We often work with other companies to find and report security vulnerabilities, with the ultimate goal of advocating for structural security improvements in popular systems to help protect people everywhere.

It is at least plausible that Google structured the posts and announcements to exploit that ignorant media coverage for their own competitive advantage.

So at least arguably their “fault” as they have ample experience with that media coverage process themselves.

It's in their financial interest to do so. They don't want their users gmail data (or from other googles services) to leak, even if it's not their fault.

But for security, they need to be working together. This is definitely a "rising tide lifts all boats" situation.

Many people will be annoyed by this "assume the worst" drama.

For example, drinking too much water, if we assume the worst, can kill you.

Also, walking around can kill you, if we assume the worst.

Also, just being around can kill you, if we assume the worst, hey, you could die of a stroke.

So, how is this "assume the worst" statement useful?

Er, yes it is? Or rather, to make a finer point, it was their responsibility—i.e., they knew the causal chain that would inevitably result from their action and chose to perform that action anyway.

If you knowingly give an alcoholic a drink, you’re responsible for them falling off the wagon.

If you leave your pet mouse out next to your pet cat and leave the room, you’re responsible when the mouse is eaten.

If you can clearly foresee something bad happening, and you have an alternative path that avoids that thing happening, and you choose to go down the path where the thing happens: your responsibility.

That’s not to say that nobody else is responsible. Responsibility is not exclusive. A war, for example, is the responsibility of two parties—either side can just give in to the demands of the other, to avoid it. Both parties, in their choice to not give in, are responsible for the war.

Apple could have written "Google is correct that the bugs existed for 2 years, but Google as well as us only found evidence that the bugs were actually exploited for a total of about two months and targeted a very narrow group of specific users." and so on.

Instead they opted for a "Google is lying about us!!1! They are IMPLYING THINGS". If a company as big as Apple with well stocked legal and PR departments publishes a press release like that, my mind immediately goes to "what are they trying to hide or downplay".

Seriously... did you overhear me talking to my relatives?

If not, you absolutely nailed the public perception.

(Edit: added title, changed wording to remove unclear usage of expat).