How China turned an award-winning iPhone against Uyghurs

In March 2017, a group of Chinese hackers arrived in Vancouver with one goal: to find hidden weak spots in the world’s most popular technologies.

Google’s Chrome browser, Microsoft’s Windows operating system, and Apple’s iPhones were all in the crosshairs. But no one was breaking the law. These are just a few of the people taking part in Pwn2Own, one of the most prestigious hacking competitions in the world.

It was the 10th anniversary of Pwn2Own, a competition that attracts elite hackers from around the world with the allure of big cash prizes if they manage to exploit previously unknown software vulnerabilities known as ” zero days ”. Once a flaw is found, the details are passed on to the companies involved, giving them time to correct it. The hacker, meanwhile, leaves with a financial reward and eternal bragging rights.

For years, Chinese hackers have been the most dominant forces at events like Pwn2Own, winning millions of dollars in prizes and establishing themselves among the elite. But in 2017, everything stopped.

One of the Chinese elites hacked an iPhone…. Almost overnight, Chinese intelligence used it as a weapon against a besieged ethnic minority group, striking before Apple could resolve the issue. It was a brazen act performed in broad daylight.

In an unexpected statement, the billionaire founder and CEO of Chinese cybersecurity giant Qihoo 360 – one of China’s top tech companies – publicly publicly announced critical Chinese citizens who went abroad to participate in hacking competitions. In an interview with Chinese news site Sina, Zhou Hongyi said that performing well in such events was only “imaginary” success. Zhou warned that once Chinese hackers showed their vulnerabilities in competitions overseas, they could no longer “be used.” Instead, he argued, hackers and their acquaintances should “stay in China” so that they can recognize the true importance and “strategic value” of software vulnerabilities.

Beijing accepted. Soon the Chinese government banned cybersecurity researchers participating in overseas hacking competitions. A few months later, a new competition appeared in China to replace the international competitions. The Tianfu Cup, as it was called, offered prizes totaling over $ 1 million.

The inaugural event was held in November 2018. The first prize of $ 200,000 went to researcher Qihoo 360 Qixun Zhao, who showed a remarkable chain exploits that allowed it to easily and reliably take control of even the newest and most up-to-date iPhones. From a starting point in the Safari web browser, he found a weakness in the core of the operating system of iPhones, its kernel. The result? A remote attacker could take control of any iPhone that has visited a web page containing Qixun’s malicious code. It’s the kind of hacking that can potentially be sold for millions of dollars on the open market to give criminals or governments the ability to spy on large numbers of people. Qixun named it “Chaos”.

Two months later, in January 2019, Apple released an update that fixed the flaw. There was little fanfare – just a quick note of thanks to those who found out.

But in August of that year, Google released a extraordinary analysis in a hacking campaign which he said “exploited iPhones en masse”. The researchers dissected five distinct exploit chains that they had spotted “in the wild.” These included the feat that won Qixun the top prize in Tianfu, which they said was also discovered by an anonymous “attacker”.

Google researchers pointed to similarities between the attacks they captured used in the real world and Chaos. What their deep dive missed, however, are the identities of the victims and the attackers: Uyghur Muslims and the Chinese government.

A campaign of oppression

In the past seven years, China has committed human rights violations against the Uyghur people and other minority groups in Western Xinjiang Province. Well-documented aspects of the campaign include detention camps, systematic compulsory sterilization, organized torture and rape, forced labor and an unprecedented surveillance effort. Officials in Beijing say China is acting to combat “terrorism and extremism,” but the United States, among others, called the actions genocide. Abuse adds to unprecedented high technology oppression campaign that dominates the lives of Uyghurs, relying in part on targeted hacking campaigns.

China’s hijacking of Uyghurs is so aggressive it actually is global, extending far beyond the country’s borders. It targets journalists, dissidents and anyone who raises suspicions in Beijing of insufficient loyalty.

Shortly after Google researchers noted the attacks, the media reports Connected the dots: The targets of the campaign that used the Chaos feat were the Uyghur people, and the hackers were linked to the Chinese government. Apple posted a rare blog Publish who confirmed that the attack took place over two months: that is, the period starting immediately after Qixun won the Tianfu Cup and extending until Apple releases the patch.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *