Google’s Project Zero, a group of Google cybersecurity professionals who examine and analyze software vulnerabilities on major software, such as iOS, Android, Chrome, OS X, Windows, etc., recently wrote a blog post disclosing an iPhone hack done, over a span of two years, just by visiting a website using Safari. Once compromised, the attacker has access to the contents of the device, including usernames, passwords, photos, contacts, you name it, they got it. Whilst this is extremely scary, the attack is not persistent, meaning when you reboot your iPhone, the attacker’s access gets wiped out, until the next time the website is visited and reinfects the iPhone. The ways done to compromise the iPhone has been quickly addressed by Apple, via the iOS 12.1.4 patch issued earlier this year. So, yes, dear readers — update your iOS devices religiously!
Project Zero’s blog post, however, did not disclose which websites are being used to compromise the iPhone. Nor did they disclose whether or not the Android is also targeted.
Over a span of days, after the blog post has been covered by the bloggers and media with iOS users getting worried whether their devices have been compromised (thanks to the non-disclosure of the websites used for the attack), Techcrunch and Forbes (I don’t personally trust Forbes on anything about Apple, except when I think the author is trustworthy and fair) report that Android (and Windows) are also targeted, in addition to the websites (sites used by a Chinese Muslim ethnic minority group) that were used by the attack. Cybersecurity company, Volexity, even provided more details on the hack, with the attack revealing an even worse situation for Android, an application is even created on the device (which can’t be deleted by a mere reboot!).
Two media outlets based abroad reached out to Google for comment, but they are silent. What are they hiding? Well, here’s my conspiracy theory:
1. Google’s Project Zero omitted mentioning the sites in their blog post. I think they didn’t want to disclose it to prevent other researchers from discovering that the Android platform is also targeted (which it was!), and that the attack is even more severe on Android (it is!). In addition, now that we know that it involves Chinese Muslim ethnic minority group, disclosing the sites will paint Google in a bad picture, which will affect their plans of going back to China (yeah, we all know that they’re doing everything to regain that lost market!). This non-disclosure caused a lot of iOS users anxiety — not knowing whether the websites they visited in the last two years were part of the attack!
2. Google’s Project Zero intentionally did not mention Android. This gives an impression that Android is invulnerable to this targeted attack, hence better than iOS! I doubt that Project Zero did not discover the same tactics done for Android — knowing how good they are at discovering vulnerabilities. It is perhaps that what they discovered is even more damning for their own platform — which turned out to be true!
3. The timing of the Google’s Project Zero’s blog post is also suspect. Apple released the patch, iOS 12.1.4, early this year. Why didn’t they post it a few weeks after? Well, timing is everything! In a few days, Apple will be releasing the new iPhone, with Google’s Pixel 4 following several days after. Casting doubt on the iPhone is the intention of the blog post’s timing! Considering that Apple’s new iPhone will come the latest iOS 13, which comes with even stricter rules to protect user’s privacy — Google does not want more users to choose the iPhone!
The takeaway from this is to be extra careful when transacting online, and be extra vigilant.
The unfortunate lesson here is to scrutinize Project Zero’s reports! Take a step back and question the motives behind the report. This does not mean discounting Project Zero’s reports — they are one of the best cybersecurity professionals today, and they are doing a great job at disclosing vulnerabilities, and we, iOS users, owe them a lot! Remember, Project Zero, after all, is part of Google, which has everything to gain when people doubt the competition.
If you only have one lesson to learn from this, then I hope that it is this — always update your operating system, may it be iOS, OS X, watchOS, tvOS, Linux, Android, or Windows!