China is trying to hoover up its citizens’ iCloud passwords, according to various reports, and it's doing so in a rather brazen way. The hacks are so blatant that it appears China doesn’t even care who catches it spying. Onlookers have suggested that either the Politburo isn’t worried about being seen as a digitally repressive state, or it’s sticking its middle finger up at Apple. It could well be both.
“I assume that the attackers knew they would be detected. If not publicly, then at least by Apple,” Morgan Marquis-Boire, a former Google security pro who’s now in charge of protecting the website The Intercept, told me. “Is this the opening salvo in the war between China and Apple on privacy?”
Chinese authorities are allegedly carrying out a crude ‘man-in-the-middle attack’. China hasostensibly used its influence over ISPs in the country to intercept citizens’ iCloud transactions with some fake Secure Socket Layer (SSL) certificates. These certificates are designed to instill trust in the SSL encryption standard—when a connection is made over SSL (as on HTTPS services) the relevant server sends a certificate that contains cryptographic information to the user’s PC, phone or whatever client they’re using. This then sets up the encrypted communication via a number of digital “handshakes.”
In this case, the Chinese government has been accused of setting up interception points, ostensibly on networks belonging to China Telecom and China Unicom, that responded to users hoping to reach iCloud servers with a fake certificate that claimed to come from Apple. The Chinese man in the middle would interact with the real server and provide the expected content to the user.
In theory, this would allow the attackers to masquerade as Apple, and to collect the iCloud data of victims. But these certificates were self-signed and poorly disguised; standard iPhones and iPads would warn users the certificates did not come from trusted sources. A user would have to manually accept the certificate for the attack to work. Such attempts are very easy to detect for that very reason: both Apple and its users should immediately know something suspicious is going on. Smarter, more clandestine hackers would have stolen or somehow created a legitimate or legitimate-looking Apple certificate to avoid detection.
The attacks landed not long after the launch of the iPhone 6 in China, whilst iOS 8.1 was released today. One of the fixes in iOS 8.1 is for an SSL certificate validation vulnerability, though there’s no indication the Chinese hackers exploited it in their attacks. According to Apple’s security advisory for its mobile OS, the vulnerability would have allowed “an attacker in a privileged network position” to “force iCloud data access clients to leak sensitive information”, but there’s little more information beyond that.
China might want its people to know Big Brother is still watching, whatever added protections Apple adds to its devices
For now, it would seem the attackers used tried-and-tested methods to snoop on citizens’ iCloud accounts. Similar techniques were seen in China-based hits on Google and Yahoo users, according to Netresec,a network security monitoring and forensics firm. When done at significant scale, at least a few less tech savvy people would accept the fake certificate and have their accounts compromised.
Yet onlookers are baffled by China’s apparent carelessness. The nation must have known it would have been caught, if it was behind the attacks in the first place. Marquis-Boire suggested China could be seeking to offer a public display of its usually-concealed censorship machine.
First, China might want its people to know Big Brother is still watching, whatever added protections Apple adds to its devices, such as the improved encryption that has so riled the FBI. Second, officials could want Apple to know it doesn’t want users to have privacy—as everyone knows from the Golden Shield and Great Firewall censorship initiatives—and it’ll do whatever it takes to prevent iPhone owners from keeping their communications secret.
Apple had not responded to a request for comment at the time of publication.
Still, China can legitimately deny the attacks, as it has done with other hacks in recent memory. Technically, anyone who breached the relevant networks could have carried out the attack. “The information we have indicates that the attack is originating within certain Chinese ISPs, but it’s not traceable directly to the Great Firewall,” said Matthew Green, a cryptography professor at Johns Hopkins. “It’s also being executed with a self-signed certificate, not a stolen ... certificate. So while this would certainly seem like it’s state sanctioned, I suppose it’s not an open and shut case. There have been similar MITM attacks recently on research institutions in China, and those were much more targeted.”
Green thinks the changes might have a positive effect in the long-term. “As far as I can tell, this will only convince Apple to improve their security.”