«[Apple] claim it was only operational for 2 months. Yet they provide no justification or evidence for that claim. They are in no position to monitor what happens on the web as they don't crawl it, and don't even attempt to explain why there would be exploits for 2 years of OS versions if this was only operational for 2 months.»

I agree. Google provided ample evidence why they believe the websites must have been exploiting phones for about 2 years (https://1.bp.blogspot.com/-97vEtS5TpiM/XWfds8hYAyI/AAAAAAAAN...). Meanwhile Apple appear to be playing down the severity of all this with zero evidence.

I may be mistaken, but I'm interpreting the bars as meaning the span of dates during which that particular exploit chain worked against the latest version of iOS.

Chain 1: iOS 10 launched 13 Sep 2016 and 10.1.1 lost relevance when 10.2 was launched on 12 Dec 2016

Chain 2: iOS 10.3 was launched 27 Mar 2017 and lost relevance when iOS 11 was launched on 19 Sep 2017.

Chain 3: iOS 11 was launched 19 Sep 2017 and lost relevance with the release of iOS 11.4.1 on 9 July 2018

Chain 5: iOS 11.4.1 was launched on 9 July 2018 and worked until the release of 12.1.3 on 22 Jan 2019.

Chain 4: iOS 12 was launched 17 Sep 2018 and worked until 12.1.1 which was released on 5 Dec 2018.

The span of dates during which a particular version of iOS was the latest release does not necessarily mean that exploit chain was active contemporaneously. I can think of several reasons for someone to be unable to upgrade to the latest version of iOS, requiring an attacker to maintain and deploy exploit chains for multiple versions of iOS simultaneously.

1) Apple has historically dropped support for older iPhones with each new iOS major version.

2) Users who jailbreak tend to refuse to update until a jailbreak emerges for the new version.

3) Some users are slow to update

4) Some users might just refuse to update

Because of this reasoning I find it plausible that Apple only has evidence that the exploit chains were active for only two months and that the attacker chose to deploy the five chains for only two months. I do not find Google's chart insightful for understanding this attack.

None of the exploit chains Google found support iPhones too old to receive the latest iOS version, probably because that would require 32-bit versions of the exploits. There also doesn't seem to be any 10.0.x or 10.1.x-only jailbreaks, so that doesn't explain the ancient exploits for those versions either; there seem to have been a few months at the end of 2017 where the best jailbreak was a 10.2.1-only one, but that version ain't supported by any of the exploits here and it was quickly obsoleted by jailbreaks which supported all 10.x versions. (Interestingly, those jailbreaks used the same bug as exploit 2 here, but they supported more versions and used different techniques to exploit it. That strongly suggests this exploit was developed and used prior to the release of those jailbreaks in late 2017/early 2018.)

Also, note that the exploit used in chain 4 was unpatched when Google discovered it. It looks like the reason it doesn't support newer iOS versions is because they abandoned it in favour of the cleaner chain 5, which entirely obsoletes it in terms of versions and devices targeted. Just this pair of exploits alone suggest that the attack was live in the wild for at least a year.

In theory I suspect that most recent exploit could be backported to cover all the iOS versions covered by all the other exploits too (and some they missed) but they just didn't bother.

Semi-unthethered jailbreaks exist for 32-bit iOS devices running upto iOS 10.3.3. I wonder whether complete exploit chain as detailed in the project zero wasn't possible for 32-bit devices or the attackers just didn't care about those devices.

>Meanwhile Apple's counter-claims sound like pure damage control with no supporting evidence.

I guess Apple could go back and look at their crash report telemetries to determine when the exploits were active. Google doesn't have that type of historical data for iOS devices. Of course there were no mentions of that as evidence.

Also presumably these are exploits to burn - lower value exploits for whatever reason.

E.g. once an exploit is detected by Apple, you might as well use it. Or an exploit that only relevant to an iOS version with low install base - just use it.

> And that there are vulnerabilities of 2 years worth of iOS versions is pretty reasonable evidence that this has been a 2 year project.

My thought was that they could be to target old versions, even if the site is new, but if the new exploits work on old versions that seems unlikely (though it could be to limit the exposure of the new zero-day - fingerprint an old version, present an old exploit - but if the exploits are new, that seems like a lot of work for next-to-no benefit).

> My thought was that they could be to target old versions, even if the site is new

That would make a lot of sense if we were talking about Android but how many iOS devices are still on iOS 10? Apple's stats show 97% of devices are iOS 11+ ( https://developer.apple.com/support/app-store/ ). It seems rather unlikely that someone would invest in finding & weaponizing a zero-day exploit against iOS 10 for less than 3% of users. Possible, sure, but Apple's claims needs evidence here.

Apple figure show that 97% of devices that can be upgraded were upgraded. A lot of people keep using Apple devices that are out of support.

Depends on how many people in the target group are running those versions.