100 million iCloud users spied by the Chinese Government

A report confirms that China is collecting private data of more that 100 million Apple iCloud users resident in the country with a man-in-the-middle attack.

The Chinese Government has launched a new hacking campaign that is targeting Apple iCloud users in the country, the news was reported by the censorship watchdog GreatFire.org is a blog post.

After previous attacks against Github, Google, Yahoo and Microsoft, the Chinese authorities are now running a man-in-the-middle (MITM) attack on Apple’s iCloud users to steal credentials of who logs into the iCloud from the country.

It is a surveillance operation on a large scale that allows the Government of Beijing to spy on Chinese citizens, accessing to the iCloud account the authorities can users contacts, photos and data archived in the Apple cloud.

The number of iPhone users in China is 100 million, all potential targets of the Government:

“The attack point is the Chinese internet backbone, and that it is nationwide, which would lead us to be 100 percent sure that this is again the work of the Chinese authorities,” one of the GreatFire founders told the South China Morning Post.

The report issued by the GreatFire.org highlights the importance of the timing for the surveillance operation, it coincides with events such as the protests in Hong Kong and the presentation of the new iPhone 6 that begun in China with a significant delay respect the rest of the world.

Apple announced a series of improvements that makes hard snooping from Intelligence agencies, so Chinese authorities would not allow the phone to be sold on the mainland.

“It is unclear if Apple made changes to the iPhones they are selling in mainland China.”

The monitoring of Apple users’information could support the authorities to track the leaders of the Hong Kong’s Umbrella Movement on the mainland.

The Government has operated PSYOPs in the social media to mitigate the protest and security firm also sustains that the China has used mobile spyware, MITM attacks and Internet monitoring to control Hong Kong protesters.

The Government was running hacking campaign against Apple iCloud users despite in the past the company has collaborated with the authorities banning from its official store any application that could violated the law of the country and evade the censorship. In August, Apple accepted to store iCloud data of Chinese users in China Telecom servers.

How iCloud users in China could protect their privacy?

• Internet users in China must use a trusted browser on their desktops and mobile devices like Firefox and Chrome, both software in fact detect connections suffering from a MITM attack.
• Another possibility is the used of VPN or by finding a different internet access point.
• Enable two-step verification for iCloud accounts, this do not suffice for the attackers to capture the iCloud credentials.

Technically, the Chinese authorities are using a self-signed certificate to run a Man-In-The-Middle attack in iCloud. The Government only attacked the IP address 23.59.94.46, this means that only a portion of iCloud users for which the iCloud DNS return this IP are impacted. Below some other details of the attacks.

Wirecapture with MITM: https://www.cloudshark.org/captures/03a6b0593436

Connection log: http://pastebin.com/tN7kbDV3

Traceroute: http://pastebin.com/8Y6ZwfzG

The report is polemic with the support offered by Apple to the Chinese Government in the past:

“If anything, cooperation with the Chinese authorities can now increasingly be labeled as the worst decision a foreign company can make. Not only will the authorities bite you in the ass, but your willingness to work with the censorship regime will lose you customers and fans worldwide.” states the report.

Apple has not yet commented on the GreatFire report.

Pierluigi Paganini

(Security Affairs – GreatFire report, Chinese censorship)