When does a team dedicated to ferreting out bugs, exploits, and vulnerabilities turn into its own form of malware attack? For Google’s Project Zero, the answer just may have been this week.
Project Zero is the name for Google’s team of security researchers tasked with tracking down and reporting zero-day vulnerabilities in operating systems, websites, and apps.
Zero-day as in they’ve not previously been disclosed and, so, haven’t been fixed.
On Thursday, August 29, 2019, Project Zero blogged a “very deep dive” into just that — a chain of 0-day vulnerabilities that they said were being used by a small collection of hacked websites as an indiscriminate watering hole attack against iPhone users.
Here’s what they said:
There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.
Back on February 1st, 2019, they’d given Apple a 7-day deadline to fix the 14 vulnerabilities across 5 exploit chains, because that’s how PZ rolls, and Apple did just that — the iOS 12.1.4 patch was released on February 7th, 2019.
So, last week’s blog post wasn’t about disclosure any more. It was about a deep dive. And it was legit amazing. Project Zero went into excruciating detail about the exploit chains found in the wild.
Except in two critical, crucial areas:
- The websites involved in the attacks.
- Any other operating systems that were subject to the attacks.
Why that’s so critical, so crucial is simple: Facts shape coverage but so does the absence of facts.
Like I tweeted immediately after the blog post surfaced, if it was a tiny cluster of sites in a remote region vs. major multinational sites like Amazon or YouTube, that’s a vastly different threat level to address.
Terrific drill-down on a web-based iOS exploit chain. But, I can’t find any info on what kind of sites were being used? If they were a tiny cluster in a remote region vs. major multinational, it’s a very different threat level.https://t.co/CZM4SksLMN
— Rene Ritchie (@reneritchie) August 30, 2019
Likewise, if it was iOS only, that’s a vastly different narrative than if it was targeting Android and Windows as well.
And, yeah, we saw the results of Project Zero’s write-up immediately with re-blog after re-blog covering it as an iPhone-only story that everyone in the world with an iPhone needed to worry about, if not outright panic over.
I knew it was just a matter of time before my parents saw the story on the BBC or some other mainstream media outlet and were concerned enough to ask me about it.
That took less than 24 hours, of course.
I was tempted to throw out a video fast, pointing out that missing context and saying something didn’t smell right. But I didn’t want to add to the noise, so I started asking around to see if I could find out some signal instead.
It was only in the last couple of days that the story started becoming clearer.
First, Zack Whittacker on TechCrunch found out that it was indeed China that was using the iPhone hacks to target Uyghur Muslims in the Xinjiang region.
According to Whittacker:
It’s part of the latest effort by the Chinese government to crack down on the minority Muslim community in recent history. In the past year, Beijing has detained more than a million Uyghurs in internment camps, according to a United Nations human rights committee.
Thomas Brewster at Forbes — actual Forbes, not the hot mess that is Forbes Contributor Network — confirmed and expanded on the TechCrunch report, adding that Android and Windows users were also targeted, not just iPhone and iOS.
According to Brewster:
That Android and Windows were targeted is a sign that the hacks were part of a broad, two-year effort that went beyond Apple phones and infected many more than first suspected.
That suggests the campaign targeting Uyghurs was far broader in scope than Google initially disclosed.
And that’s a huge, huge problem.
As I, and many other people have said repeatedly, code is so complex that there will be bugs and there will be exploits and all that can be done about them is ethical disclosure by researchers, fast fixes by companies, and responsible reporting by not just the media but everyone involved.
Project Zero, by virtue of being owned and operated by Google, which operates two of the major software platforms with ChromeOS and Android, has an additional hurdle to overcome — they need to go out of their way to report on Google. Demonstrably. Above reproach, as they say.
What they did here was the opposite of that. Worse. They didn’t under-report on Google. They failed to report on Google.
You could go so far as to call it lies of omission.
And Google, for their part, have done and said nothing to address it.
A Google spokesperson would not comment beyond the published research.
Neither Microsoft nor Google had provided comment at the time of publication. It’s unclear if Google knew or disclosed that the sites were also targeting other operating systems.
Now, it’s up to you if you want to ascribe any sinister conspiracy motives to this. Google does compete with Apple on operating systems and phones, and both have big launches this fall.
But it’s tough to imagine Project Zero would ever be part of that, or Google, in general, having enough integration between teams to even coordinate anything like that.
What I think is Project Zero is composed of a bunch of nerds who just want to write about a cool exploit chain they found in the wild.
And it is cool. iOS is uniquely hard to break into. This one took 14 vulnerabilities over 5 exploit chains.
Put things in perspective:
– These aren’t new 0-days. They’ve all been patched over time, hence why 5 chains used.
– Apple actually strives for security/privacy. Others make a business from flouting the latter.
– What, Android is more secure? *Cough* CamScanner*Cough* 🤮
— 62657156686f6a75636a4d21506a736699a0f1548b (@Morpheus______) August 30, 2019
It’s the exciting thing to talk about. But by effectively leaving out so much of the story, Project Zero shaped the story — and they shaped it wrong.
iOS is by no means the most popular operating system but wow is it the most popular headline. And that’s what we got. Headline after completely distorted headline. Story after incomplete story.
So much attention, which I think is what Project Zero really wants.
But it’s not about attention. It’s about reputation.
Project Zero are superheroes, no doubt. Proven many times over. But they should want to be the Justice League. Not The Boys.
They should aim to stamp out exploits, not become part of social engineering attacks against iPhone users.
And that’s what happened with this story. A lot of iPhone owners were made to be afraid beyond what the actual threat level warranted. All because the original blog post lacked context it should never have lacked.
I can easily justify 0day use for legitimate national security threats given narrow scoping and targeted use, but what has been uncovered by project zero is absolutely not that, and one of the most frightening things I have seen in my “career” as an iOS 0day researcher.
— qwertyoruiop (@qwertyoruiopz) September 1, 2019
It also delayed the start of much more important conversation. While people were worrying or gloating over iOS security, they weren’t considering the existence of these exploits in general and how they’re being used not just for national security but to target individuals and communities.
Burn all 0days indeed.
Update: Volexity, in a wide-ranging report on China’s digital crackdown in the region, added this to the attack surface:
Mobile device users running Android OS targeted via an exploit that will deliver a 64-bit ARM executable
Attacker’s arsenal includes Google Applications for gaining access to e-mails and contact lists of Gmail accounts via OAuth
It doesn’t pass the common-sense sniff test that platforms and services as popular as Google’s wouldn’t be targeted by this type of attack, which makes the lack of reporting by Project Zero even more troubling.
VECTOR | Rene Ritchie
- Video: YouTube
- Podcast: Apple | Overcast | Pocket Casts | RSS
- Column: iMore | RSS
- Social: Twitter | Instagram