Report: China Turned Prize-Winning iPhone Hack into a Surveillance Tool Against Uyghur Muslims

by -101 views

Scores of White Hat hackers participate in Bug Bounty Programs and win huge rewards. Typically the exploits are handed over to the concerned company and published only after it is stock-still. A new study highlights how the Chinese authorities used a prize-winning iPhone hack and turned it into a surveillance tool to spy on Uyghur Muslims.

The exploit allowed the regime to take complete control of target phones and thus launch a mass surveillance entrada. Previously, Chinese security researchers used to participate in the Pwn2Own event to discover naught-day vulnerabilities. Information technology is a global event and attracts hundreds of security researchers from across the world.

The CEO of Chinese giant Qihoo 360 unexpectedly accused Chinese participants of being disloyal to the state.

In an unexpected statement, the billionaire founder and CEO of the Chinese cybersecurity giant Qihoo 360—one of the most important engineering firms in China—publicly criticized Chinese citizens who went overseas to participate in hacking competitions. In an interview with the Chinese news site Sina, Zhou Hongyi said that performing well in such events represented but an “imaginary” success. Zhou warned that once Chinese hackers show off vulnerabilities at overseas competitions, they can “no longer exist used.” Instead, he argued, the hackers and their knowledge should “stay in Cathay” so that they could recognize the true importance and “strategic value” of the software vulnerabilities.

Zhou certainly had the attention of the Chinese authorities. In 2022 China banned security researchers from attending global events. Soon enough, they came up with their event called “The Tiafu Loving cup.” The participants were awarded cash prizes amounting to more than a million dollars.

The countdown result was held in November 2022. The $200,000 top prize went to Qihoo 360 researcher Qixun Zhao, who showed off a remarkable chain of exploits that immune him to easily and reliably take command of even the newest and nigh up-to-engagement iPhones. From a starting point within the Safari web browser, he establish a weakness in the core of the iPhone’s operating system, its kernel. The result? A remote attacker could take over any iPhone that visited a web page containing Qixun’s malicious code. Information technology’s the kind of hack that tin can potentially exist sold for millions of dollars on the open market to give criminals or governments the ability to spy on big numbers of people. Qixun named it “Chaos.”

Apple stock-still the flaw in January 2022, two months later on it was discovered. Later that yr, Google released a report pertaining to a hacking campaign. They discovered that iPhones were existence hacked in mass and contributed the assault to 5 exploit bondage. This included the exploit that won the elevation prize in China’s cybersecurity consequence.

The incident is stark. One of China’southward elite hacked an iPhone, and won public acclaim and a large amount of money for doing so. Virtually overnight, Chinese intelligence used it equally a weapon against a besieged minority ethnic grouping, striking before Apple could set the problem. It was a brazen deed performed in broad daylight and with the noesis that there would be no consequences to speak of.

It is alleged that the Chinese followed the “strategic value” plan devised by Qihoo’south Zhou Hongyi. In other words, the Tianfu cup had revealed a significant hack. The exploit was handed over to the Chinese intelligence who used it to spy on Uyghurs. Zhou refuted the allegations and claimed the exploit could have been used after the patch. Notwithstanding, both Apple and Google had documented that the exploit was used earlier Apple patched it.

Our Take

Land-sponsored attacks are not something new. The Chinese government is accused of oppressing Uyghur Muslims human rights for many years. Ideally the government agencies should not meddle with cybersecurity events, and companies similar Apple tree should try to raise their issues compensation program further.

[via MIT Review]


Posted by: