Pages

7 September 2019

Massive iPhone Hack Targets Uyghurs


China is being blamed for a massive surveillance operation that targeted Uyghur Muslims. This story broke in waves, the first wave being about the iPhone.

Earlier this year, Google's Project Zero found a series of websites that have been using zero-day vulnerabilities to indiscriminately install malware on iPhones that would visit the site. (The vulnerabilities were patched in iOS 12.1.4, released on February 7.)


Earlier this year Google's Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day.

There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.


TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.

This upends pretty much everything we know about iPhone hacking. We believed that it was hard. We believed that effective zero-day exploits cost $2M or $3M, and were used sparingly by governmentsonly against high-value targets. We believed that if an exploit was used too frequently, it would be quickly discovered and patched.

None of that is true here. This operation used fourteen zero-days exploits. It used them indiscriminately. And it remained undetected for two years. (I waited before posting this because I wanted to see if someone would rebut this story, or explain it somehow.)

Google's announcement left out of details, like the URLs of the sites delivering the malware. That omission meant that we had no idea who was behind the attack, although the speculation was that it was a nation-state.

Subsequent reporting added that malware against Android phones and the Windows operating system were also delivered by those websites. And then that the websites were targeted at Uyghurs. Which leads us all to blame China.

So now this is a story of a large, expensive, indiscriminate, Chinese-run surveillance operation against an ethnic minority in their country. And the politics will overshadow the tech. But the tech is still really impressive.

According to the company, starting today, a zero-click (no user interaction) exploit chain for Android can get hackers and security researchers up to $2.5 million in rewards. A similar exploit chain impacting iOS is worth only $2 million.

"So now this is a story of a large, expensive, indiscriminate, Chinese-run surveillance operation"?

Nooo, its now a speculation about a large, expensive, indiscriminate, Chinese-run surveillance operation–like thousands of similar bs speculations about China.


This may sound a bit strange but I hope we get a similar discovery from Apple security research teams (that is if they have any) on a range of 0-day vulnerabilities in Android OS before any news of them being exploited in the wild 😀. Game is on Apple and we end users stand to benefit from it .


One question pops to mind: how many Uyghurs have iPhones?


This weeks Squid has been covering this topic, too.

I still wonder if javascript off, or use of NoScript (where available), might have mitigated some or most of the above attacks.

You might start here https://www.schneier.com/blog/archives/2019/08/friday_squid_bl_692.html#c6798138 and read forward and backward from there or start at the top of the Squid. Most of the Squid's links, however, are redundant to the links posted above.

I think one could argue that Google is ground zero for Surveillance Capitalism.

Perhaps that may be why Google's posts on this topic are short on prevention issues. For example, why mitigation strategies that would impact collecting personal data, to support their advertising business model, are absent. In addition, IIRC and IMO, there has been a lot of negative news about Google in the press recently (Change the subject time?).

Regardless, I'm glad that this Project Zero information is out there.

Finally, might 'cookies off' have helped mitigate the 'watering hole' attacks?


@ Steve re: Uyghur iPhone ownership - Good question, I wondered that myself when I first ran across the story in mainstream media. iPhones tend to be among the more expensive smart device alternatives; one wouldn't ordinarily expect a minority as repressed and marginalized as the Uyghurs are portrayed to opt for the "premium" solution. I'd expect something more along the lines of cheap Android throwaway devices. Of course there could be some additional factor of which I am unaware...


It was (relatively) targeted, no?


@tds: It would have. First since noscript only runs on Firefox and even if Firefox was equally vulnerable the wxploits weren't delivered to Firefox browsers. And secondly as far as I can see the exploits don't look like being feasible from HTML alone: spawning hundreds of process groups of 16 processes each and similar. But I don't know a noscript user who isn't ready to try to turn noscript off many scripts if this is required to make a website work.

Clive Robinson • September 3, 2019 11:20 AM

@ Bruce,
And then that the websites were targeted at Uyghurs. Which leads us all to blame China.

Whilst the Chinese are known to have to put it politly a very robust attitude to Muslims, many others have an even worse attitude which involves a level of nastyness that could easily make people vomit. This includes many other Muslims, Hindus and various Government entities.

Thus personally I'd hold of making that soet of judgment untill we have not just more evidence but more reliable evidence.

But what this does reenforce is my attitude to consumer electronics privacy and security, it's basically rubbish and anyone who makes the assumption that FMCE even high priced FMCE is walking down a path that could lead to disapearing and a lot of pain.

All this proves realy is most designers have either not got a clue or a conscious decision has been made in their emoloying entity that "Privacy and Security" does not pay. We know this from Googles published rules for App developers and we know it's true for Microsoft.

Why people should think Apple are any better has always been a mystery to me...


@Steve re: Uyghur iPhone ownership

iPhones are very popular in China. Also iPhones are seen as more "secure" than Android phones. The high prices for iPhone zero-days seems to support this. Therefore, activists tend to prefer iPhones over Android phones.

Re: NoScript:
Browsers on iOS are severely restricted. No elective script blocker seems to be "possible". Javascript is either on or off on an iPhone.


Hello I am a Mac. Hello, I am a Pixel. It seems a lot like the Mac vs PC campaign only this time with Google. What's next? Google opens their own stores?


Minority need not fit some stereotyped or prejudiced pigeon-hole. Some minorities are generally wealthier than than the average majority. Some are generally poorer. iPhones can be status symbols - show off your wealth


Not only IOS.



Long article with lots of background, mostly not high tech, but here's a snip on high tech:

What’s Really Happening to Uighurs in Xinjiang?
China may have interned more than a million Uighurs in Xinjiang in an attempt to suppress their desire for greater autonomy.
By Rémi Castets, March 19, 2019
Xinjiang has also become a testing ground for high tech and big-data security. Smartphones can be checked at any time at police and other roadside checkpoints. A vast system of facial-recognition video surveillance has been upgraded. Most Uighurs have had to surrender their passports, destroying the hopes of those who want to emigrate.



One wonders whether the intended targets of these exploits might also have been those following information relevant to the Uyghur community in China - whether ethnic Uyghurs abroad, journalists, or international NGOs, for example. For whom an iPhone could have been a comparatively cheaper purchase. These external information consumers could be less well known / subject to control by Chinese authorities, but tossing a bit of barium in the watering hole (to mix metaphors) could serve to illuminate the map of interested parties in addition to any specific attack activities.


@Winter
The fact that the attack didn't work against iPhone XS also supports that iPhones are "more secure".

RealFakeNews • September 3, 2019 7:45 PM

Isn't the mantra "don't trust the network" taken to a new level in China?

Ergo, I'd be surprised China would need a scatter-gun approach to surveillance when they control the networks the group of interest uses.

This seems more like a fishing trip; see who knows what, and where.

Is there any indication that this attack can spread beyond the initially attacked device, or does any form of reconissance beyond the immediately infected device?

Does it act as a sleeper, or remote C&C point?

It seems there are still too many questions, and quite frankly as laudable Google are with their Zero Day Project, I don't trust their conclusions.


and the good news:

Top price for unpublished Android exploits reaches $2.5 million, a 25% premium over iOS.






What I don't fully get from these earlier reports is that when in Xinjiang you must have the government installed spyware on your Android phone. OK. But what do they do with iPhones? I'm sure the app isn't downloadable from the App Store and it's not so straightforward to sideload apps on iPhone as it is on Android.

According to this list: https://www.apple.com/retail/storelist/ there isn't an Apple branded store in Xinjiang though there are many in China. I'm sure there are official or unofficial resellers, though.


@RealFakeNews, "Ergo, I'd be surprised China would need a scatter-gun approach to surveillance when they control the networks the group of interest uses."

Google can't be trusted at this point due to the fact it's been turned into a propaganda outlet. I would agree that directing unsuspecting websurfers to a site is too much of a "scatter-gun" approach of surveillance. I seriously doubt they conduct this type of doings because there are other more effective and less expensive ways of conduct. This does not pass the sniff test at all.


@Clive Robinson

"Why people should think Apple are any better has always been a mystery to me..."

IIRC, Schneier on Security ("'SoS'") has discussed how privacy is required for security. It may be that Google's 'collect all personal information' mentality may be antithetical to privacy and security.

OTOH, IIRC, @thegrugq is considering switching from iPhone to Android.

These links address some of the security changes in iOS 13, although AFAIK not the topic of this thread.



Clive Robinson • September 4, 2019 7:51 AM

@ tds,
OTOH, IIRC, @thegrugq is considering switching from iPhone to Android.

That's his choice, but it's a little like askng,Which is better, to die under five tons of sand, or five tonnes of sand?

To all intents and puproses the end result is the same[1].

Which is the point Apple-v-Android makes a fractional difference and changes over time, but either way you are still going to end up the same way with an "End Run" or "Find Fix and Finish" attack.

As long as the "security end point" is on the same "consumer device" as the "communications end point" you are not secure and it's just a question of probability as to when you get to the end game.

The reason as far as "privacy" goes is that "consumer devices" such as Fast Moving Consumer Electronics (FMCE) are not designed in a way where there is sufficient segregation between the communications function and the Human Computer Interface (HCI) function. Therefor an attacker can use one of hundreds of attacks to "see" the HCI from the Communications channel, thus bypassing what ever crypto or security function the Application running on the FMCE Smart Consumer device does to make the security end point.

So if you want privacy the first step is to get the securiry end point off device so an attacker can not end run it from the communications channel.

However Privacy and Security are not the same thing. Privacy comes in levels with in the more general domain of security. Thus you have basic "Data Privacy" that can be achived by encryption. Then you have "Communications Privacy" that looks after making your communications of sufficiently Low Probabiliry of Intercept (LPI) that an attacker can be assumed under normal conditions not able to detect your communications as the energy you emit is effectively below the attckers receivers noise floor. Then there is "Traffic Privacy" which assumes that whilst the attacker can see communications energy above their RX noise floor they can not work out if Data is being sent or who from or who to.

Each privacy domain falls in a different and often technically unrelated knowledge domain. Thus requiring not just different knowledge but very different techniques that are very much dependent on the domain. Thus the use of radio "Broadcast" networks is very different to the use of wired "Routed" networks.

[1] The metric tonne is 1000kg, the Imperial ton is 1016kg, thus the extra 80kg over the 5000kg bring only 1.6% is not likely to change when you die.


@Steve, VinnyG, Winter, Stereotyped, Anon

IMO you have covered, perhaps, the targeted populations, and some of their nuances, well.







"VPN stops working? Have you ever wondered why the Great Firewall can block VPNs seemingly whenever it chooses to do so, but not always? No? I thought so, here's a thread on why anyways. 1/16

At the most basic level the internet is a game of hot potato. You stick a message (called a packet) a with a destination on it and a series of routers will estimate which direction they think its in and throw it off that way as quickly as they can until it gets there. 2/16"


Bruce:
Off-topic ....

Heads-up for upcoming seminar -- Asymmetric Threat Symposium XII, Oct 7, George Mason U, Arlington campus.
www.asymmetricthreat.net

SpaceLifeForm • September 4, 2019 3:19 PM

@Clive, @tds

I'll just note that @thegrugq uses both iPhone and Android, but recommends Android. He uses iPhone for a *reason*.

(the *reason* is not what most would guess. Remember, he always says to 'wash hands after return from libc. He has *not* been researching this for years for no *reason*)

Here is good overview of how the iPhone was hackable via Drive-by/Water Hole attack, and the effort involved to get root.

It takes many steps in the chain of flaws to get there.


Note: I do not believe Apple has fully fixed this. I think they have blocked a specific step in the chain. But not fully solved because they have not blocked all angles of attack.

Think bandaid. Not tourniquet.


How about the cellular modem?

Might WiFi only iPads, iPhones or Android devices have fared better?

Is the following still valid? Nicholas Weaver from 2015. I wonder what he thinks now.


"Properly configured, an iOS device is perhaps the most secure, general purpose communication device available. The iPod Touch [iPad? ; Apple Watch?] in particular is my preferred communication device for those who need to operate in an extremely hostile network such as China or France, and for most users, iOS is vastly more secure than Android.

Despite this, "best" does not mean "impregnable".

[...]

The IMEI on the back is enough information for the FBI to find the phone's carrier and, with a simple warrant, gain a trove of information. Smart phones continuously communicate on the cellphone network, and Apple's Siri in particular will still use cellular connectivity even when on a WiFi network."


Extra time on your hands or curious

For the Uyhgurs and the rest of us [1] might cookies be irrelevant. In other words, could somebody sniffing around identify ones' device by its' canvas, or whatever, fingerprint? As opposed to catching a fingerprint at an endpoint.

For device fingerprinting:

1)try https://panopticlick.eff.org using your cellular carrier with javascript turned on

2)try https://panopticlick.eff.org using your cellular carrier with javascript turned off

3)try https://panopticlick.eff.org using WiFi with javascript turned off

IIRC I couldn't get 2) to work

[1] Niemöller:

"First they came for the Communists
And I did not speak out
Because I was not a Communist

Then they came for the trade unionists
And I did not speak out
Because I was not a trade unionist

Then they came for the Jews
And I did not speak out
Because I was not a Jew

Then they came for me
And there was no one left
To speak out for me

[...]

Niemöller is quoted as having used many versions of the text during his career, but evidence identified by professor Harold Marcuse at the University of California Santa Barbara indicates that the Holocaust Memorial Museum version is inaccurate because Niemöller frequently used the word "communists" and not "socialists."[1] The substitution of "socialists" for "communists" is an effect of anti-communism, and most common in the version that has proliferated in the United States. According to Marcuse, "Niemöller's original argument was premised on naming groups he and his audience would instinctively not care about. The omission of Communists in Washington, and of Jews in Germany, distorts that meaning and should be corrected."[1]"


After listening to David Bowie, I thought of some of the stories or photos from the Hong Kong protests

No comments:

Post a Comment