Apple device vulnerabilities signal need for defense and intelligence scrutiny

This week Apple released a software update for iPhones and iPads.  Not stated on the upgrade description but buried further in the link provided by Apple about the security content of this software update, was a description of two worrisome vulnerabilities.  Not only were these vulnerabilities concerning, but also how Apple came to discover them.

The vulnerabilities themselves were listed as CVE’s – “Common Vulnerabilities and Exposures” as part of the reference system established by the U.S. Department of Homeland Security’s National Cyber Security Division and operated by the MITRE Corporation to “identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.”

Apple’s description of the impact of both CVEs were exactly the same: “Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.”

According to ThreatPost.com, a Massachusetts-based independent cybersecurity news source, this could allow “remote code execution (RCE) and other attacks, completely compromising users’ systems.”

What this also means is that these CVEs were both “zero-day” vulnerabilities.  According to Norton, an industry-leading antivirus and security software developer, “The term ‘zero-day’ refers to a newly discovered software vulnerability,” and “the fact that the developers have ‘zero days’ to fix the problem that has just been exposed — and perhaps already exploited by hackers.”

Dan Goodin, the Security Editor at Ars Technica explains, “Zero-days are highly coveted by black hats and feared by defenders because they are unknown to the developers of the vulnerable software and the public at large. That means the people who discover the security flaws can use them to hack devices that are fully up to date, often with little or no detection.”

Since iPhones and iPads were cleared for use by the Pentagon for Department of Defense personnel in 2013, just after iOS software was cleared for use in the federal government, it seems there should be great interest among the military and intelligence communities to not only mitigate these two vulnerabilities, but to investigate both their origins and their discovery.

How did Apple discover these zero-day exploits?  One of them, CVE-2021-30663, was reported by “an anonymous researcher” and the other, CVE-2021-30665, was reported by three nicknamed researchers at “360 ATA.”

360 ATA is also known as “Qihoo 360” – a Beijing-based computer software company founded by Zhou Hongyi, a Chinese billionaire entrepreneur who also serves as a member of the National Committee of the Chinese People’s Political Consultative Conference (PCC) – an important political advisory body to the Chinese Communist Party (CCP).

Interestingly, a subsidiary of Qihoo 360 owned 70% of the short-lived “Tuber” web browser launched in China in late 2019 that supposedly allowed Chinese users to bypass the oppressive “Great Firewall.” The browser was met with significant skepticism and it disappeared from the app store after roughly 5 million people downloaded it. At the time, the Washington Post reported that “the most popular post on Pincong, a Reddit-like forum for Chinese geeks,” stated “This software is not only phishing for anti-Communist Party figures, but it is also meant for nationalist trolls.”

Are the “anonymous researcher” and the researchers at “360 ATA” providing a goodwill service to Apple device users worldwide?  Perhaps. Mr. Hongyi certainly cares about cybersecurity.  In a 2020 proposal to the 13th National Committee of the PCC, he said “Only by building the cybersecurity protection system for new infrastructure can we push forward the new infrastructure strategy smoothly and ensure the healthy development of the digital economy.”

Hongyi’s company has publicly blamed U.S. Intelligence for hacks inside China, inspiring the Global Times China, a mouthpiece for the CCP, to write that “[L]egal and all other possible channels should be considered to remedy the damages the US attacks have imposed on Chinese institutions and the public.”

The larger question, perhaps, is who exactly is writing the code for Apple’s software and from where?

Of the 22 “zero-day” vulnerabilities discovered in 2021 so far, nearly one third were iOS.