China collecting Apple iCloud data; attack coincides with launch of new iPhone
We have posted previously about MITM attacks on Google and Github and broke the news about the recent attack on Yahoo. Refer to the appendix at the end of this post to see technical evidence of the attack.
This case is different, however, for a few of reasons.
Wikipedia defines a man-in-the-middle-attack in the following way:
The man-in-the-middle attack...is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
This is clearly a malicious attack on Apple in an effort to gain access to usernames and passwords and consequently all data stored on iCloud such as iMessages, photos, contacts, etc. Unlike the recent attack on Google, this attack is nationwide and coincides with the launch today in China of the newest iPhone. While the attacks on Google and Yahoo enabled the authorities to snoop on what information Chinese were accessing on those two platforms, the Apple attack is different. If users ignored the security warning and clicked through to the Apple site and entered their username and password, this information has now been compromised by the Chinese authorities. Many Apple customers use iCloud to store their personal information, including iMessages, photos and contacts. This may also somehow be related again to images and videos of the Hong Kong protests being shared on the mainland.
What should users do to counteract this attack? Internet users in China should first use a trusted browser on their desktops and mobile devices - Firefox and Chrome will both prevent users from accessing iCloud.com when they are trying to access a site that is suffering from a MITM attack. Qihoo’s popular Chinese 360 secure browser is anything but and will load the MITMed page directly.
If users have ignored the security warnings, they should find an undisrupted connection to iCloud.com. This can be accomplished by using a VPN or by finding a different internet access point because the GFW’s MITM is not that stable. They should also enable two-step verification for their iCloud accounts. This will protect iCloud accounts from attackers even if the account password is compromised.
This latest MITM attack may be related to the increased security aspects of Apple’s new iPhone. When details of the new iPhone were announced, we felt that perhaps that the Chinese authorities would not allow the phone to be sold on the mainland. Ironically, Apple increased the encryption aspects on the phone allegedly to prevent snooping from the NSA. However, this increased encryption would also prevent the Chinese authorities from snooping on Apple user data. It is unclear if Apple made changes to the iPhones they are selling in mainland China. However, this MITM attack may indicate that there is at least some conflict between the Chinese authorities and Apple over some of the features on the new phone.
This attack will come as a surprise to Apple. In the past, the company has had a bromance with the authorities and have blindly acquiesced when asked to remove apps from the China app store. With such a close, cozy and snuggly relationship, it is hard to imagine that the executives at Apple felt that they would get this kind of treatment in China. Tim Cook is looking in his mirror now and crying “What did I do wrong?”.
This episode should provide a clear warning signal to foreign companies that work with the Chinese authorities on their censorship agenda. Working with the authorities to help them prevent free access to news and information is not a guaranteed path to riches in China. If anything, cooperation with the Chinese authorities can now increasingly be labeled as the worst decision a foreign company can make. Not only will the authorities bite you in the ass, but your willingness to work with the censorship regime will lose you customers and fans worldwide.
We have reached out to Apple for comment and will update this post if they reply.
Technical evidence of attacks against iCloud.com (Apple) and login.live.com (Microsoft)
The GFW (Great Firewall of China) is now wiretapping Apple’s iCloud. GFW implemented a MITM attack on iCloud using a self-signed certificate.
The authorities only attacked IP 220.127.116.11. Not all users in China are affected because the iCloud DNS might return different IP addresses.
Wirecapture with MITM: https://www.cloudshark.org/captures/03a6b0593436
Self-signed certificate used in the attack: http://www.mediafire.com/download/ampbnqncc277krv/fakeicloudcert.zip
Connection log: http://pastebin.com/tN7kbDV3
TCP Traceroute: https://twitter.com/siyanmao/status/518963824481681408