How China Turned a Prize-Winning iPhone Hack Against the Uyghurs (technologyreview.com) 38
An attack that targeted Apple devices was used to spy on China's Muslim minority -- and US officials claim it was developed at the country's top hacking competition. An anonymous reader shares an excerpt from an MIT Technology Review article: The Tianfu Cup offered prizes that added up to over a million dollars. [It was held in November 2018, shortly after the Chinese banned cybersecurity researchers from attending overseas hacking competitions.] The $200,000 top prize went to Qihoo 360 researcher Qixun Zhao, who showed off a remarkable chain of exploits that allowed him to easily and reliably take control of even the newest and most up-to-date iPhones. From a starting point within the Safari web browser, he found a weakness in the core of the iPhones operating system, its kernel. The result? A remote attacker could take over any iPhone that visited a web page containing Qixun's malicious code. It's the kind of hack that can potentially be sold for millions of dollars on the open market to give criminals or governments the ability to spy on large numbers of people. Qixun named it "Chaos."
Two months later, in January 2019, Apple issued an update that fixed the flaw. There was little fanfare—just a quick note of thanks to those who discovered it. But in August of that year, Google published an extraordinary analysis into a hacking campaign it said was "exploiting iPhones en masse." Researchers dissected five distinct exploit chains they'd spotted "in the wild." These included the exploit that won Qixun the top prize at Tianfu, which they said had also been discovered by an unnamed "attacker." The Google researchers pointed out similarities between the attacks they caught being used in the real world and Chaos. What their deep dive omitted, however, were the identities of the victims and the attackers: Uyghur Muslims and the Chinese government.
Shortly after Google's researchers noted the attacks, media reports connected the dots: the targets of the campaign that used the Chaos exploit were the Uyghur people, and the hackers were linked to the Chinese government. Apple published a rare blog post that confirmed the attack had taken place over two months: that is, the period beginning immediately after Qixun won the Tianfu Cup and stretching until Apple issued the fix. MIT Technology Review has learned that United States government surveillance independently spotted the Chaos exploit being used against Uyghurs, and informed Apple. (Both Apple and Google declined to comment on this story.) The Americans concluded that the Chinese essentially followed the "strategic value" plan laid out by Qihoo's Zhou Hongyi; that the Tianfu Cup had generated an important hack; and that the exploit had been quickly handed over to Chinese intelligence, which then used it to spy on Uyghurs. The US collected the full details of the exploit used to hack the Uyghurs, and it matched Tianfu's Chaos hack, MIT Technology Review has learned. (Google's in-depth examination later noted how structurally similar the exploits are.) The US quietly informed Apple, which had already been tracking the attack on its own and reached the same conclusion: the Tianfu hack and the Uyghur hack were one and the same. The company prioritized a difficult fix.
Two months later, in January 2019, Apple issued an update that fixed the flaw. There was little fanfare—just a quick note of thanks to those who discovered it. But in August of that year, Google published an extraordinary analysis into a hacking campaign it said was "exploiting iPhones en masse." Researchers dissected five distinct exploit chains they'd spotted "in the wild." These included the exploit that won Qixun the top prize at Tianfu, which they said had also been discovered by an unnamed "attacker." The Google researchers pointed out similarities between the attacks they caught being used in the real world and Chaos. What their deep dive omitted, however, were the identities of the victims and the attackers: Uyghur Muslims and the Chinese government.
Shortly after Google's researchers noted the attacks, media reports connected the dots: the targets of the campaign that used the Chaos exploit were the Uyghur people, and the hackers were linked to the Chinese government. Apple published a rare blog post that confirmed the attack had taken place over two months: that is, the period beginning immediately after Qixun won the Tianfu Cup and stretching until Apple issued the fix. MIT Technology Review has learned that United States government surveillance independently spotted the Chaos exploit being used against Uyghurs, and informed Apple. (Both Apple and Google declined to comment on this story.) The Americans concluded that the Chinese essentially followed the "strategic value" plan laid out by Qihoo's Zhou Hongyi; that the Tianfu Cup had generated an important hack; and that the exploit had been quickly handed over to Chinese intelligence, which then used it to spy on Uyghurs. The US collected the full details of the exploit used to hack the Uyghurs, and it matched Tianfu's Chaos hack, MIT Technology Review has learned. (Google's in-depth examination later noted how structurally similar the exploits are.) The US quietly informed Apple, which had already been tracking the attack on its own and reached the same conclusion: the Tianfu hack and the Uyghur hack were one and the same. The company prioritized a difficult fix.
Re: Trivial for the CIA to fake. (Score:1)
Re: (Score:1)
Re: (Score:2, Interesting)
Re: Trivial for the CIA to fake. (Score:1, Interesting)
Re: (Score:1)
Trivial for the posters to fake. (Score:3)
This is the home of [citation needed]. Everything is disputable.
Re: (Score:3)
Re:Trivial for the CIA to fake. (Score:4)
... and destabilising the xinjiang region has been their intention for many many years. It's not even disputable.
We need a new moderation type: (-1, Shill).
I am at once appalled and impressed that the Russians and Hans think enough of /. and those of us still left posting that they'd spend the resources spreading their FUD here.
Re: (Score:2)
Obvious shill, but also probably correct. Did you forget they propped up the Taliban in the 80s to stick it to the commies? Or the Islamic fundamentalists in Iran a few years before that?
Re: (Score:2)
Only to, soon after and very publicly, shit all over them I might add. When you understand this it's not hard to see why "Death to America" is the slogan.
Re: (Score:2)
Oh, absolutely. Not defending the CIA here, by any means.
And you're right. Definitely a shill, but probably also correct.
What a world we live in.
Re: (Score:2)
Re: (Score:2)
Old habits die hard, I guess. Then again, we're still here, 20+ years on... Makes you wonder how long they've been here, unrecognised, you know?
Quixen double dipping? (Score:2)
Re: (Score:2)
Like oppressing on ethnic grounds is anything normal. Building up contemporary means of genocide is not.
Cannot be real (Score:3)
iPhones use is insignificant outside countries like USA, Japan, etc. No one can spend two or three full months worth of salary on a phone.
Re: (Score:2)
China does not need a hack (Score:2)
I am pretty sure that every Uighur must by law install a government tracking app on their phone. And it would be unwise to be seen without the phone on you.
Plus they have unfettered access to all the Baidu and WeChat data etc.
We should look at this and tremble in fear.
Re: (Score:2)
"Drive the Blade In, Scrape Poison off the Bone" (Score:1)
Those poor Uyghurs (Score:2, Funny)
They all have a last generation iPhone, I can see where the international outcry comes from
Re: (Score:1)
As long as it is not me... (Score:2)
Re: (Score:2)
China's Disinformation Campaign on Uyghurs (Score:2)
actually this is just a clip, the whole conversation is worthwhile too. [youtube.com]