How Google's Project Zero ended up attacking all iPhone users

Project Zero is the name for Google's team of security researchers tasked with tracking down and reporting zero-day vulnerabilities in operating systems, websites, and apps.

Zero-day as in they've not previously been disclosed and, so, haven't been fixed.

On Thursday, August 29, 2019, Project Zero blogged a "very deep dive" into just that — a chain of 0-day vulnerabilities that they said were being used by a small collection of hacked websites as an indiscriminate watering hole attack against iPhone users.

Here's what they said:

There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.  

Back on February 1st, 2019, they'd given Apple a 7-day deadline to fix the 14 vulnerabilities across 5 exploit chains, because that's how PZ rolls, and Apple did just that — the iOS 12.1.4 patch was released on February 7th, 2019.

So, last week's blog post wasn't about disclosure any more. It was about a deep dive. And it was legit amazing. Project Zero went into excruciating detail about the exploit chains found in the wild.

Except in two critical, crucial areas:

  1. The websites involved in the attacks.
  2. Any other operating systems that were subject to the attacks.

Why that's so critical, so crucial is simple: Facts shape coverage but so does the absence of facts.

Like I tweeted immediately after the blog post surfaced, if it was a tiny cluster of sites in a remote region vs. major multinational sites like Amazon or YouTube, that's a vastly different threat level to address.

https://twitter.com/reneritchie/status/1167450819379257344

Likewise, if it was iOS only, that's a vastly different narrative than if it was targeting Android and Windows as well.

And, yeah, we saw the results of Project Zero's write-up immediately with re-blog after re-blog covering it as an iPhone-only story that everyone in the world with an iPhone needed to worry about, if not outright panic over.

I knew it was just a matter of time before my parents saw the story on the BBC or some other mainstream media outlet and were concerned enough to ask me about it.

That took less than 24 hours, of course.

I was tempted to throw out a video fast, pointing out that missing context and saying something didn't smell right. But I didn't want to add to the noise, so I started asking around to see if I could find out some signal instead.

It was only in the last couple of days that the story started becoming clearer.

First, Zack Whittacker on TechCrunch found out that it was indeed China that was using the iPhone hacks to target Uyghur Muslims in the Xinjiang region.

According to Whittacker:

It's part of the latest effort by the Chinese government to crack down on the minority Muslim community in recent history. In the past year, Beijing has detained more than a million Uyghurs in internment camps, according to a United Nations human rights committee.

Thomas Brewster at Forbes — actual Forbes, not the hot mess that is Forbes Contributor Network — confirmed and expanded on the TechCrunch report, adding that Android and Windows users were also targeted, not just iPhone and iOS.

According to Brewster:

That Android and Windows were targeted is a sign that the hacks were part of a broad, two-year effort that went beyond Apple phones and infected many more than first suspected.

TechCrunch added:

That suggests the campaign targeting Uyghurs was far broader in scope than Google initially disclosed.

Yeeeaaaaah.

And that's a huge, huge problem.

As I, and many other people have said repeatedly, code is so complex that there will be bugs and there will be exploits and all that can be done about them is ethical disclosure by researchers, fast fixes by companies, and responsible reporting by not just the media but everyone involved.

Project Zero, by virtue of being owned and operated by Google, which operates two of the major software platforms with ChromeOS and Android, has an additional hurdle to overcome — they need to go out of their way to report on Google. Demonstrably. Above reproach, as they say.

What they did here was the opposite of that. Worse. They didn't under-report on Google. They failed to report on Google.

You could go so far as to call it lies of omission.

And Google, for their part, have done and said nothing to address it.

TechCrunch:

A Google spokesperson would not comment beyond the published research.

Forbes:

Neither Microsoft nor Google had provided comment at the time of publication. It's unclear if Google knew or disclosed that the sites were also targeting other operating systems.

Now, it's up to you if you want to ascribe any sinister conspiracy motives to this. Google does compete with Apple on operating systems and phones, and both have big launches this fall.

But it's tough to imagine Project Zero would ever be part of that, or Google, in general, having enough integration between teams to even coordinate anything like that.

What I think is Project Zero is composed of a bunch of nerds who just want to write about a cool exploit chain they found in the wild.

And it is cool. iOS is uniquely hard to break into. This one took 14 vulnerabilities over 5 exploit chains.

See more

It's the exciting thing to talk about. But by effectively leaving out so much of the story, Project Zero shaped the story — and they shaped it wrong.

iOS is by no means the most popular operating system but wow is it the most popular headline. And that's what we got. Headline after completely distorted headline. Story after incomplete story.

So much attention, which I think is what Project Zero really wants.

But it's not about attention. It's about reputation.

Project Zero are superheroes, no doubt. Proven many times over. But they should want to be the Justice League. Not The Boys.

They should aim to stamp out exploits, not become part of social engineering attacks against iPhone users.

And that's what happened with this story. A lot of iPhone owners were made to be afraid beyond what the actual threat level warranted. All because the original blog post lacked context it should never have lacked.

See more

It also delayed the start of much more important conversation. While people were worrying or gloating over iOS security, they weren't considering the existence of these exploits in general and how they're being used not just for national security but to target individuals and communities.

embed

Burn all 0days indeed.

Update: Volexity, in a wide-ranging report on China's digital crackdown in the region, added this to the attack surface:

  • Mobile device users running Android OS targeted via an exploit that will deliver a 64-bit ARM executable
  • Attacker's arsenal includes Google Applications for gaining access to e-mails and contact lists of Gmail accounts via OAuth

It doesn't pass the common-sense sniff test that platforms and services as popular as Google's wouldn't be targeted by this type of attack, which makes the lack of reporting by Project Zero even more troubling.

○ Video: YouTube
○ Podcast: Apple | Overcast | Pocket Casts | RSS
○ Column: iMore | RSS
○ Social: Twitter | Instagram

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

44 Comments
  • Navigating the Internet has become a lot easier now that I’ve realized that everything is clickbait.
  • Ah Rene to the rescue of Apple again 🤦🏼‍♂️
  • Trust you're just trying to be funny or outlandishly trolling! Rene is right on target. As soon as I saw the first report, I wondered why the dangerous websites weren't identified. Any responsible security people would have let the world know that immediately. Rene added the astute — and telling — observation that the exploit targeted Android and Google, too, but the Google Security people conveniently neglected to tell the world that. Shame on them! Indeed, their one-sided and misleading actions and representations should be punished and made illegal. Color me cynical, but could Google's wanting to stay on the good side of the Chinese government have something to do with this?!
  • This exploit was specific to iOS and did not affect Android or Windows. What Volexity reported is that this specific exploit was part of a broader campaign that included other platforms. PZ was giving details about this exploit, the fact that it resulted in negative publicity for Apple is not their concern.
  • Anybody surprised Google would play fast and loose with the truth? Thanks Rene!
  • Just because Windows and Android were targeted does not mean they were vulnerable, like iOS was. As it stands this article reads as a big fat slice of whataboutery. Furthermore the reason why the wider non-tech media are interested in this is because Apple have spend $millions marketing how secure our iOS devices are. This vulnerability, along with the revelation that Apple aren't as respectful of our privacy as they similarly spend a fortune advertising about and don't keep our Siri conversations locally but get 3rd parties to listen to them, means that they are going to be focused on a lot more than their competitors.
  • Apple aren't not allowed to say their systems are pretty secure, Apple generally are pretty good with security. Let's be honest, it's easier to screw yourself over on Android than it is on iOS, but all OSes are subject to exploits
  • Hey when you run around toting "security" you are going to take some blowback when things like this happens.
  • All OSes get exploited, it's no different with Apple, but Android and iOS are both pretty secure
  • hi
    Disclosing vulnerability is cool after then are patched and patch distributed !
    What about this trouble, how Google Project Zero could talk about Android vulnerability ?
    It can't !
    Google can path but simply can't distribute patch because of the multiple layers Android is build :
    - Google itself
    - then phone manufacturers
    - then carriers
    all the work Google could do to patch is ruined by the lack of frequent updates build by manufacturers https://thenextweb.com/google/2019/08/30/android-phone-brands-ranked-on-... Google is responsible to have put Android in the most pockets without security in mind.
  • Except Google's own devices are secure and get patched each month which I cannot say the same for my iPhone 7...
  • Lol what are you smoking? iOS devices, at least the ones that are still supported, get patched pretty soon after a security exploit is known. If you aren't receiving a security update monthly, it's because that month there were no known exploits to patch. If Google have to patch their device every single month, that says more about Google than it does about Apple.
  • I wonder why Rene keeps getting invites to Apple events?
  • Oh, so only negative opinions about Apple are valid and unbiased? Why are you here posting in an Apple centric blog when you have no skin in the game?
  • It is like watching Fox News spin for Trump, it is comical. Rene is a master at it.
    I go to 9to5Mac for my Apple news, I come to iMore for the comedic back-flipping that Rene does to keep his invites coming.
    At Six Colors the headline is "Google uncovers a significant iPhone security exploit". At Apple PR (iMore) it is nothing to see here, move along, click on this affiliate link for an iPhone case.
    Maybe it was an isolated set of websites that exploited the flaw, it didn't have to be. It was still a flaw.
  • Mustard, don't bother getting into an argument with Lkrupp. Despite anyone bringing facts to an argument, if it's critical of Apple he'll immediately dismiss you as a hater and never responds or replies to a post.
  • Rene and Lkrupp's point of view is just different to yours. Rene's articles make a lot of sense, he does sometimes grossly exaggerate things, but apart from that it offers a separate viewpoint to the usual sensational negative Apple stories
  • I have never seen or heard Rene be disgusted by an Apple revelation. He will sugar coat it maybe, but that is it.
    He is an apologist that, as I said, is no different that Hannity's treatment of Trump.
  • Apple haters always waiting in the wings to pounce when something about Apple turns up. Mr. Ritchie exposes the duplicity of Google and the haters waste no time spinning it.
  • And you, as usual, can't stand it when anyone is critical of your precious Apple.
  • It just comes down to different opinions
  • "How Google's Project Zero ended up attacking all iPhone users" Um, no. Not ALL iPhone users. No problems here.
  • Technically the exploits target all iPhone users, which means all iPhone users are attacked, but you can be attacked without having damage done, because of either the OS protecting you or because the exploit doesn't apply to you in this circumstance
  • FUD Machine on full tilt here at iMore. Just ... wow!
  • Rene is a hypocrite. He has written anti-FUD articles before but spits it out as much as the rest of them.
  • Project Zero reports on a serious flaw that was in iOS, and Rene’s response is basically, “they’re liars, they want attention, and wink wink, nudge nudge, Google conspiracy.” Yikes.
  • Rene with the anti-Apple Alphabet FUD as usual. It's pretty sad Rene that you can't even get the name of the company right in this nonsense piece of "journalism". https://en.wikipedia.org/wiki/Alphabet_Inc.
  • Alphabet is Google… it doesn't really matter and it makes more sense to write Google because many people don't know what Alphabet is
  • Alphabet is NOT Google, Google is a part of Alphabet and it does in fact matter. If you're going to write a fud hit-piece at least get the name of the company you're denigrating right. Calling it by another name when it is in fact not that name is lazy journalism but I expect nothing less from Rene.
  • "It was created through a corporate restructuring of Google on October 2, 2015, and became the parent company of Google and several former Google subsidiaries. The two founders of Google assumed executive roles in the new company, with Larry Page serving as CEO and Sergey Brin as president." "The establishment of Alphabet was prompted by a desire to make the core Google internet services business "cleaner and more accountable" while allowing greater autonomy to group companies that operate in businesses other than Internet services." Did you see how many mentions of "Google" there are there? To the layman, it's Google, and by saying it's Google is not factually incorrect, as Google created Alphabet
  • It is factually incorrect. I see that you quoted from the linked article but failed to quote this part "The company would consist of Google as well as other businesses including X Development, Calico, Nest, Fiber, CapitalG, and GV" which disproves your point. Google may have created Alphabet as a parent company but to ascribe this to Google is incorrect regardless of how many mentions of Google are in the article.
  • Well I honestly just think you're nitpicking, the article still makes sense, you're the only person that's mentioned it
  • Any write ups on Apple admitting they have 3rd parties listening to siris stored conversations?
  • There was and now Apple aren't doing it anymore so that case is closed
  • The Boston Strangler used to murder people, he doesn't anymore, so we are all good right?
  • Other murderers are still on the run, but if the Boston Strangler is caught, then that case is closed. If Apple aren't recording voices anymore, go after Amazon with Alexa, Samsung with Bixby, Google with Google Assistant, and Microsoft with Cortana
  • Nope. https://www.theguardian.com/technology/2019/sep/06/apple-rewrote-siri-to...
  • This article is about Apple making Siri neutral and plans for the future to improve Siri, not sure what you're trying to get at here?
  • Rene has a mad case of buttthurt
  • Interesting. https://9to5mac.com/2019/09/03/ios-exploit-market-report/
  • No more than any other OS
  • Lol you might want to actually read it and not just blindly defend apple.
  • Lol I've already done my research. There are plenty of similar articles for Android and Windows. You might hear about iOS more just because it's simply more of a media target. Plenty of exploits are found in Linux but you don't really hear about it because the media isn't interested in an OS that the average person doesn't use
  • You can blame Google but they're a for-profit business, not a journalistic outlet. Only Rene here cared enough to look into the issue and Google's spin -- irresponsibly echoed by the media -- was, to say the least, lacking (actually worse but I'm being civil). The media in turn blew it full stop.