An award-winning iPhone hack was reportedly used by the Chinese government to spy on it Muslim minority Uyghur community.
A new report from MIT Technology Review explains that Chinese security researchers used to participate in the Pwn2Own “hacking” contest designed to discover and exploit zero-day vulnerabilities in platforms worldwide. Hackers win prizes and the hacks are reported to companies so they can be addressed before the details are made public.
However, this all changed a few years ago when the CEO of a Chinese cybersecurity giant criticized Chinese participants for being disloyal, explains the report:
In an unexpected statement, the billionaire founder and CEO of the Chinese cybersecurity giant Qihoo 360—one of the most important technology firms in China—publicly criticized Chinese citizens who went overseas to take part in hacking competitions. In an interview with the Chinese news site Sina, Zhou Hongyi said that performing well in such events represented merely an “imaginary” success. Zhou warned that once Chinese hackers show off vulnerabilities at overseas competitions, they can “no longer be used.” Instead, he argued, the hackers and their knowledge should “stay in China” so that they could recognize the true importance and “strategic value” of the software vulnerabilities.
Soon after, the Chinese government banned its citizens from entering the contest, instead creating their own version of Pwn2Own:
The inaugural event was held in November 2018. The $200,000 top prize went to Qihoo 360 researcher Qixun Zhao, who showed off a remarkable chain of exploits that allowed him to easily and reliably take control of even the newest and most up-to-date iPhones. From a starting point within the Safari web browser, he found a weakness in the core of the iPhones operating system, its kernel. The result? A remote attacker could take over any iPhone that visited a web page containing Qixun’s malicious code. It’s the kind of hack that can potentially be sold for millions of dollars on the open market to give criminals or governments the ability to spy on large numbers of people. Qixun named it “Chaos.”
Apple fixed “Chaos” shortly after, but according to the report, the Chinese government in the meantime used it to hack iPhones that belonged to Uyghur Muslims. Apple confirmed that the exploit has been used as such, but the full extent that Beijing had used it wasn’t clear until now, explains the report:
The incident is stark. One of China’s elite hacked an iPhone, and won public acclaim and a large amount of money for doing so. Virtually overnight, Chinese intelligence used it as a weapon against a besieged minority ethnic group, striking before Apple could fix the problem. It was a brazen act performed in broad daylight and with the knowledge that there would be no consequences to speak of.
The entire report is very interesting and is well worth the read over at MIT Technology Review.