An award-winning iPhone hack was used by the Chinese government to spy on Uyghur Muslims, giving Beijing total control of their phones.
A detailed report says that Chinese white-hat hackers used to participate in the annual Pwn2Own contest designed to uncover and exploit zero-day security vulnerabilities. The hackers win cash prizes, and the issues are reported to the companies concerned so that they can be fixed before details are shared publicly …
The MIT Technology Review says all that changed in 2017, when the CEO of a large Chinese tech company accused participants from China of disloyalty.
In an unexpected statement, the billionaire founder and CEO of the Chinese cybersecurity giant Qihoo 360—one of the most important technology firms in China—publicly criticized Chinese citizens who went overseas to take part in hacking competitions. In an interview with the Chinese news site Sina, Zhou Hongyi said that performing well in such events represented merely an “imaginary” success. Zhou warned that once Chinese hackers show off vulnerabilities at overseas competitions, they can “no longer be used.” Instead, he argued, the hackers and their knowledge should “stay in China” so that they could recognize the true importance and “strategic value” of the software vulnerabilities.
Zhou clearly had the ear of the Chinese government, as they soon banned their people from attending overseas hacking contests, and instead created their own.
The inaugural event was held in November 2018. The $200,000 top prize went to Qihoo 360 researcher Qixun Zhao, who showed off a remarkable chain of exploits that allowed him to easily and reliably take control of even the newest and most up-to-date iPhones. From a starting point within the Safari web browser, he found a weakness in the core of the iPhones operating system, its kernel. The result? A remote attacker could take over any iPhone that visited a web page containing Qixun’s malicious code. It’s the kind of hack that can potentially be sold for millions of dollars on the open market to give criminals or governments the ability to spy on large numbers of people. Qixun named it “Chaos.”
Apple fixed it two months later, but an analysis found that it had in the meantime been used by the Chinese government to hack iPhones belonging to Uyghur Muslims. Apple issued a low-key press release confirming this after US surveillance spotted it, and reported it to the iPhone maker, but the full extent of it wasn’t known until now.
The incident is stark. One of China’s elite hacked an iPhone, and won public acclaim and a large amount of money for doing so. Virtually overnight, Chinese intelligence used it as a weapon against a besieged minority ethnic group, striking before Apple could fix the problem. It was a brazen act performed in broad daylight and with the knowledge that there would be no consequences to speak of.
The full, detailed report is well worth reading.
Author: Ben Lovejoy
Source: 9TO5Google