China collecting Apple iCloud data; attack coincides with launch of new iPhone

After previous attacks on Github, Google, Yahoo and Microsoft, the Chinese authorities are now staging a man-in-the-middle (MITM) attack on Apple’s iCloud.

icloud2.png

We have posted previously about MITM attacks on Google and Github and broke the news about the recent attack on Yahoo.  Refer to the appendix at the end of this post to see technical evidence of the attack.

This case is different, however, for a few of reasons.

Wikipedia defines a man-in-the-middle-attack in the following way:

The man-in-the-middle attack...is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

This is clearly a malicious attack on Apple in an effort to gain access to usernames and passwords and consequently all data stored on iCloud such as iMessages, photos, contacts, etc. Unlike the recent attack on Google, this attack is nationwide and coincides with the launch today in China of the newest iPhone. While the attacks on Google and Yahoo enabled the authorities to snoop on what information Chinese were accessing on those two platforms, the Apple attack is different. If users ignored the security warning and clicked through to the Apple site and entered their username and password, this information has now been compromised by the Chinese authorities. Many Apple customers use iCloud to store their personal information, including iMessages, photos and contacts. This may also somehow be related again to images and videos of the Hong Kong protests being shared on the mainland.

What should users do to counteract this attack? Internet users in China should first use a trusted browser on their desktops and mobile devices - Firefox and Chrome will both prevent users from accessing iCloud.com when they are trying to access a site that is suffering from a MITM attack. Qihoo’s popular Chinese 360 secure browser is anything but and will load the MITMed page directly.

If users have ignored the security warnings, they should find an undisrupted connection to iCloud.com. This can be accomplished by using a VPN or by finding a different internet access point because the GFW’s MITM is not that stable. They should also enable two-step verification for their iCloud accounts. This will protect iCloud accounts from attackers even if the account password is compromised.

This latest MITM attack may be related to the increased security aspects of Apple’s new iPhone. When details of the new iPhone were announced, we felt that perhaps that the Chinese authorities would not allow the phone to be sold on the mainland. Ironically, Apple increased the encryption aspects on the phone allegedly to prevent snooping from the NSA. However, this increased encryption would also prevent the Chinese authorities from snooping on Apple user data. It is unclear if Apple made changes to the iPhones they are selling in mainland China. However, this MITM attack may indicate that there is at least some conflict between the Chinese authorities and Apple over some of the features on the new phone.

This attack will come as a surprise to Apple. In the past, the company has had a bromance with the authorities and have blindly acquiesced when asked to remove apps from the China app store. With such a close, cozy and snuggly relationship, it is hard to imagine that the executives at Apple felt that they would get this kind of treatment in China. Tim Cook is looking in his mirror now and crying “What did I do wrong?”.

This episode should provide a clear warning signal to foreign companies that work with the Chinese authorities on their censorship agenda. Working with the authorities to help them prevent free access to news and information is not a guaranteed path to riches in China. If anything, cooperation with the Chinese authorities can now increasingly be labeled as the worst decision a foreign company can make. Not only will the authorities bite you in the ass, but your willingness to work with the censorship regime will lose you customers and fans worldwide.

We have reached out to Apple for comment and will update this post if they reply.

 

Technical evidence of attacks against iCloud.com (Apple) and login.live.com (Microsoft)

iCloud

The GFW (Great Firewall of China) is now wiretapping Apple’s iCloud. GFW implemented a MITM attack on iCloud using a self-signed certificate.

The authorities only attacked IP 23.59.94.46. Not all users in China are affected because the iCloud DNS might return different IP addresses.

Wirecapture with MITM: https://www.cloudshark.org/captures/03a6b0593436

Self-signed certificate used in the attack: http://www.mediafire.com/download/ampbnqncc277krv/fakeicloudcert.zip

Connection log: http://pastebin.com/tN7kbDV3

Traceroute:  http://pastebin.com/8Y6ZwfzG

Hotmail MITM

Wirecap: https://www.cloudshark.org/captures/6011389a8ea3

TCP Traceroute: https://twitter.com/siyanmao/status/518963824481681408

 

Comments

More Blog Posts

Subscribe to our mailing list
Show content from Blog | Google+ | Twitter | All. Subscribe to our blog using RSS.

Mon, Nov 25, 2024

China’s New Effort to Achieve Cyber Sovereignty

How Real-Name Registration policies create an “ideological firewall” that chills dissent by eliminating user anonymity and selectively restricting transnational access to Chinese social media apps.

Thu, Aug 10, 2023

1.4 million people used FreeBrowser to circumvent the Great Firewall of Turkmenistan

Since 2021, the authorities in Turkmenistan have taken exceptional measures to crack down on the use of circumvention tools. Citizens have been forced to swear on the Koran that they will not use a VPN. Circumvention tool websites have been systematically blocked. Arbitrary searches of mobile devices have also taken place and have even targeted school children and teachers.

The government has also blocked servers hosting VPNs which led to “near complete” internet shutdowns on several occasions in 2022. Current reports indicate that 66 hosting providers, 19 social networks and messaging platforms, and 10 leading content delivery networks (CDNs), are blocked in the country. The government presumably is unconcerned about the negative economic impact that such shutdowns can cause.

Fri, Mar 18, 2022

Well-intentioned decisions have just made it easier for Putin to control the Russian Internet

This article is in large part inspired by a recent article from Meduza (in Russian).

Since the beginning of the war in Ukraine, Russian users have had problems accessing government websites and online banking clients. Browsers began to mark these sites as unsafe and drop the connection. The reason is the revocation of digital security certificates by foreign certificate authorities (either as a direct consequence of sanctions or as an independent, good will move); without them, browsers do not trust sites and “protect” their users from them.

However, these actions, caused - or at least triggered by - a desire to punish Russia for their gruesome actions in Ukraine, will have long-lasting consequences for Russian netizens.

Digital certificates are needed to confirm that the site the user wants to visit is not fraudulent. The certificates contain encryption keys to establish a secure connection between the site and the user. It is very easy to understand whether a page on the Internet is protected by a certificate. One need just look at the address bar of the browser. If the address begins with the https:// prefix, and there is a lock symbol next to the address, the page is protected. By clicking on this lock, you can see the status of the connection, the name of the Certification Authority (CA) that issued the certificate, and its validity period.

There are several dozen commercial and non-commercial organizations in the world that have digital root certificates, but 3/4 of all certificates are issued by only five of the largest companies. Four of them are registered in the USA and one is registered in Belgium.

Mon, Aug 03, 2020

Announcing the Release of GreatFire AppMaker

GreatFire (https://en.greatfire.org/), a China-focused censorship monitoring organization, is proud to announce that we have developed and released a new anti-censorship tool that will enable any blocked media outlet, blogger, human rights group, or civil society organization to evade censors and get their content onto the phones of millions of readers and supporters in China and other countries that censor the Internet.

GreatFire has built an Android mobile app creator, called “GreatFire AppMaker”, that can be used by organizations to unblock their content for users in China and other countries. Organizations can visit a website (https://appmaker.greatfire.org/) which will compile an app that is branded with the organization’s own logo and will feature their own, formerly blocked content. The app will also contain a special, censorship-circumventing web browser so that users can access the uncensored World Wide Web. The apps will use multiple strategies, including machine learning, to evade advanced censorship tactics employed by the Chinese authorities.  This project will work equally well in other countries that have China-like censorship restrictions. For both organizations and end users, the apps will be free, fast, and extremely easy to use.

This project was inspired by China-based GreatFire’s first-hand experience with our own FreeBrowser app (https://freebrowser.org/en) and desire to help small NGOs who may not have the in-house expertise to circumvent Chinese censorship. GreatFire’s anti-censorship tools have worked in China when others do not. FreeBrowser directs Chinese internet users to normally censored stories from the app’s start page (http://manyvoices.news/).

Fri, Jul 24, 2020

Apple, anticompetition, and censorship

On July 20, 2020, GreatFire wrote to all 13 members of the Subcommittee on Antitrust, Commercial and Administrative Law of the U.S. House Committee on the Judiciary, requesting a thorough examination into Apple’s practice of censorship of its App Store, and an investigation into how the company collaborates with the Chinese authorities to maintain its unique position as one of the few foreign tech companies operating profitably in the Chinese digital market.  

This letter was sent a week before Apple CEO TIm Cook will be called for questioning in front of the Subcommittee on Antitrust, Commercial and Administrative Law. The CEOs of Amazon, Google and Facebook will also be questioned on July 27, as part of the Committee’s ongoing investigation into competition in the digital marketplace.

This hearing offers an opportunity to detail to the Subcommittee how Apple uses its closed operating ecosystem to not only abuse its market position but also to deprive certain users, most notably those in China, of their right to download and use apps related to privacy, secure communication, and censorship circumvention.

We hope that U.S. House representatives agree with our view that Apple should not be allowed to do elsewhere what would be considered as unacceptable in the U.S. Chinese citizens are not second class citizens. Private companies such as Apple compromise themselves and their self-proclaimed values of freedom and privacy when they collaborate with the Chinese government and its censors.

Subscribe to our blog using RSS.

Comments

uk.yahoo.com is also giving untrusted certificate warnings at this present time.

I'm surprised they've used self-signed. Surely they could have issued certs through cnnic (www.cnnic.cn). Most browsers trust their CA. You can test your browser by going to Https://Evdemo.cnnic.cn

@Anonymous: Because if they did that, cnnic would definitely not be trusted anymore...

Pretty creepy, they don't mind being as obvious as this...and this 360 browser accepts self-signed certificates by default? Wow.

On the other hand, can we rule out that it was an attack not connected to the Chinese government? Were all DNS servers in China affected? Why would they stop the attack this quick (icloud goes to the right IP for me now and I use my provider's DNS servers)? Not that I would not think that the government has hands in this, but I would not be surprised if it was a successful attack to a poorly secured big provider's DNS server (but then it wouldn't affect everybody in China...). Hmm when thinking about it, this poisoning must have been done through the GFW...any more detailed technical analysis available? Any official comments from CNNIC?

看我口型。操~~~他~~~妈~~~

Is the information obtained limited to iCloud users' data?

Is the information obtained limited to iCloud users' data?

inspired a lot from this post am following this blog regularly and found very good for bookmarking thanks admin
new year sms in hindi 2015
happy new year sms 2015
happy new year 2015 wallpapers
happy new year 2015 quotes
happy new year 2015
happy new year wishes 2015

This is really bad.Hope that steps will be taken in Year 2015 for better security.

Vry..Vry..Vry..Needful 4 my computer PPT....Thankxxx sooo much

Thanks a really nice post thanks for sharing.
[http://www.happyrepublicday-2015.com/ Republic Day 2015] Republic Day 2015
[http://www.happyrepublicday-2015.com/ Republic Day 2015] Republic Day 2015
[http://www.happyrepublicday-2015.com/ Republic Day 2015] Happy Republic Day 2015 SMS

McCoy does not shy from prevents and by most reports they
was a team participant with all the Eagles. and it has a huge amount of
has under his belt|it has a huge amount of carries under his belt and is 27 Your examination of the business and We agree generally, but the material about McCoyis
mindset and designed -the- problems is baloney.

Check out my web site: gift.ii-houyou.com (Jacob)

this post is awesome, great msg for us, plz update ur blog for daily basis, i am regular visitor of this site, so keep posting for us,

click the below links to create backlink
best free backlink website
click here for msg movie

Paragraph writing is also a fun, if you know
then you can write otherwise it is complicated to write.

My website How To Seo Html (Http://Support.Semanticmastery.Com/)

thanks for this post, keep it up for updating us, i am waiting for ur new article.
IPL8 live stream 2015
thanks again

Mind Blowing.. post great work

PC Games

Thanks Great Share.

Technology

LinkedIn decided to create a China-hosted version ?

Tech Blog

this is great information. article is ol;d but information is great
http://www.surveyremoveronline.com/

this is great information. article is ol;d but information is great
http://www.surveyremoveronline.com/

its time to grow up now for the best world and info you'll got.
Facebook Hacker

Exclusive release first on Internet Fifa 16 Crack arrived. Try the latest version of our fifa crack today and impress all of your friends with amazing highscores rankings - free of charge.

We have spent months developing this crack so that you can generate an unlimited amount of free Points, Coins.
http://fifacrack.com/

Republic Day 2016 Images

http://festivalsbag.com/

Republic Day 2016 Images
http://festivalsbag.com/

Republic Day 2016 Images
http://festivalsbag.com/

On the other hand, can we rule out that it was an attack not connected to the Chinese government? Were all DNS servers in China affected? Why would they stop the attack this quick (icloud goes to the right IP for me now and I use my provider's DNS servers)? Not that
would not think that the government has hands in this, but I would not be surprised if it was a successful attack to a poorly secured big provider's DNS server (but then it wouldn't affect everybody in China...). Hmm when thinking about it, this poisoning must have been done through the GFW...any more detailed technical analysis available? Any official comments from CNNIC http://www.sbnation.com/users/obatperangsang

is also giving untrusted certificate warnings at this present time. http://obatfrigid.com/obat-perangsang-pria.html

is also giving untrusted certificate warnings at this present time
http://toko-qta.com/

would not think that the government has hands in this, but I would not be surprised if it was a successful attack to a poorly secured big provider's DNS server (but then it wouldn't affect everybody in China...
http://tokovital.com/obat-perangsang-wanita.html

would not think that the government has hands in this, but I would not be surprised if it was a successful attack to a poorly
https://www.sbnation.com/users/perangsangwanita

Berita Terkini ElangNews.com http://www.elangnews.com/

Nonton bola online streaming http://nobartv.com

Komunitas fans bola indonesia http://soccerio.net

thank you very much for the article, hopefully by reading this article can add to my knowledge and experience and all friends who have read the content in this article http://www.obatpengikatwanita.com/

the application permits you making this examination on any kind of network, androdumpperr as well as run the installer data to comply with the setup directions.

Progression as it speeds with the DHL network. You'll Tracking to awaiting distributions that do not turn up as intended.

is also giving untrusted certificate warnings at this present time
http://www.tokomurah.id/

Progression as it speeds with the DHL network. You'll Tracking (http://www.tokomurah.id/obat-pelangsing-badan/) to awaiting distributions that do not turn up as intended.

Indeks berita bola terbaru hari ini pada NobarTV http://nobartv.com/index-berita/2018
Indeks jadwal streaming bola online hari ini di NobarTV http://nobartv.com/index-pertandingan/2018

Thank you for sharing the post. I didn't know that the Chinese authorities are now staging a man-in-the-middle (MITM) attack on Apple’s iCloud, Yooying where will they want to reach now, there were too many website and apps are blocked in China already.

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.