Significant iOS Vulnerabilities Used Against Uyghur Muslims in China

Originally published at: https://tidbits.com/2019/09/02/significant-ios-vulnerabilities-used-against-uyghur-muslims-in-china/

Google’s Project Zero security research team has released the details of a significant series of attacks against iOS. The vulnerabilities have all been patched now, and it appears the attacks may have been part of the Chinese government’s crackdown on the minority Uyghur Muslim community.

Security is difficult and that’s what we see here. China had a keen interest in iOS security holes and they probably spent a ton of money to find them and implement them. A bug bounty would not get the Chinese to reveal their find. Maybe it might encourage another user who found the same bug, but security holes like this are more likely to be state sponsored finds and immune from bug bounties.

Apple doesn’t appear to use automation tools that can find security holes during OS development, and they had been criticized before about this. It’s hard to say really. They aren’t designing an app, but an OS and that makes it more difficult. They also have their own development tools which make it harder to use already available tools.

I hope, if anything, this makes Apple a bit more self aware that almost a billion people depend upon their iPhone being secure and some of them are betting their lives on it. I hope this makes Apple a bit more vigilant with OS development.

I’ve deleted all the off-topic political commentary and will continue to do so.

1 Like

Thanks.

Jack Clay

jaclay@gmail.com

The political/powerplay dynamics of this are vastly more interesting than the technical. We know that despite best efforts, weaknesses exist in most software. We know that black hat companies and white hat groups like TAG dedicate their resources to finding as many of these weaknesses as they can (either to sell them to govts or companies or to alert the vendors and help everyone).
What matters most if how efficiently these weaknesses, once found, make their way back to the vendor, how quickly the vendor fixes them, and how broadly and quickly the fix gets deployed to the devices in use. In this case we have no data on who originally found the 14 compromises (except it was probably a black hat actor). They clearly were held in secret for years without the black hat actors and their customers informing Apple. Once TAG informed Apple they took <7 days to fix all 14 and issue an update. The Apple ecosystem is such that updates promulgate to the vast majority of devices, old and new, very quickly.
It is highly relevant that this was apparently communicated to Apple back in Feb and fixed in Feb…but Google chose to release this information to the public ~1wk before Apple holds an event in which they are expected to release new hardware and software that greatly increases their already strong security value prop. Google is the company who created Android for the single purpose of vacuuming up every shred of data about a user and merging it with all the other data they acquire from other sources. Their privacy abuses are many, varied and nearly continuous and are having a huge negative impact on user behavior across multiple market segments. They have a strong vested interest in muddying the waters around Apple security and privacy and they appear to be assuming the Fear, Uncertainty and Doubt (FUD) role that Microsoft used to play.

1 Like

How very tolerant and open-minded of you Adam. Just when people might step outside of the world of State Department press releases.

May I ask you to be kind enough to send me what I wrote so I could publish it independently? It doesn’t show up in my history here. Thanks for all your hard work publishing TidBITS over the years. TidBITS has been a great help to me many times. I write that to acknowledge I do not walk in your shoes and do not know the burdens you carry.

My level of tolerance and open-mindedness is irrelevant when it comes to conversations here veering off-topic, and the fact that I deleted these posts shouldn’t be interpreted as me agreeing or disagreeing with their content. Feel free to discuss US and Chinese domestic and foreign policy elsewhere.

Certainly.

I appreciate the kind words, and anything you can do to support the mission of TidBITS, which is to help individuals better use Apple and Internet technologies, is welcome.

Apple has now posted a statement taking Google to task for releasing this information.

And that has prompted a certain amount of pushback from the media.

Google told The Verge that its post was focusing on technical issues (which, if you read the actual post, is true):

Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.