Last Friday was the start of Labor Day weekend, so you could be forgiven for missing the highly concerning cybersecurity news that Google disclosed last week. In a series of technical blog posts, the company’s Project Zero team outlined a number of vulnerabilities in Apple’s iOS operating system. These vulnerabilities could, in certain cases, allow hackers to install software on a user’s device that gave hackers access to, well, pretty much everything.
Simply visiting certain websites was enough to open a backdoor into an iPhone. Decrypted messages, photos, real-time location, and so on — all were accessible via the malware that Google discovered and could be remotely uploaded from the device to a server elsewhere.
Google notified Apple about the security holes, and they were patched in February. In a rare move, Apple also publicly commented on Google’s blog posts, claiming that they mischaracterized the vulnerabilities, and the intent of the hackers. The statement reads:
First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community …
Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.
So there are a couple of things happening here. There’s Apple obliquely acknowledging that the attacks were, as previously reported, likely carried out by the Chinese government in service of its ongoing persecution of the Uighur Muslim community. (Apple, like every major tech company, sees China as a lucrative market and is obviously trying to stay on the government’s good side.) There’s also Apple denying that the attacks were widespread and affected countless individuals.
It’s possible — probable even — that Apple is telling the truth to the best of its understanding. Even if you believe that, however, the mere existence of these gigantic security holes calls into doubt pretty much every claim Apple has made about the iPhone’s supposedly industry-leading and often-praised security measures. In today’s statement, Apple brags, “iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software.” By most accounts, this is true, and yet we now have very concerning evidence of hackers who can subvert that end-to-end process. It’s not just who is affected or the number of people affected that matters in this story, it’s the fact that these iOS vulnerabilities existed at all.