The FBI, via Director James Comey’s latest speech, is not the only authority worried about encryption enabled on Apple’s new iPhones. The iPhone 6 launched in China last week and the new encryption capabilities may be behind Chinese authorities launching a man-in-the-middle attack on Apple’s iCloud. This is not a small-scale targeted attack on a few new iPhone owners, but a huge-scale attack implemented on the level of the Great Firewall of China.
GreatFire, which monitors censorship in China, claims the “Great Firewall of China is wiretapping Apple’s iCloud;” GreatFire co-founder Charlie Smith told the South China Morning Post, "We know that the attack point is the Chinese internet backbone and that it is nationwide, which would lead us to be 100% sure that this is again the work of the Chinese authorities. Only Chinese [Internet service providers] and the government have access to the backbone.”
Chinese authorities self-signed a fake iCloud digital certificate so that when users try to connect to iCloud.com, they are instead redirected to a spoofed iCloud site. Then when the users enter sensitive information, bam it is intercepted and in the hands of Chinese authorities.
GreatFire GreatFire provided other technical evidence in the form of two wirecaptures and a traceroute example showing the MITM attacks. According to GreatFire:
This is clearly a malicious attack on Apple in an effort to gain access to usernames and passwords and consequently all data stored on iCloud such as iMessages, photos, contacts, etc. Unlike the recent attack on Google, this attack is nationwide and coincides with the launch today in China of the newest iPhone. While the attacks on Google and Yahoo enabled the authorities to snoop on what information Chinese were accessing on those two platforms, the Apple attack is different. If users ignored the security warning and clicked through to the Apple site and entered their username and password, this information has now been compromised by the Chinese authorities.
“Qihoo’s popular 360 secure browser is anything but and will load the MITMed page directly,” GreatFire warned. But if Chinese users run Firefox or Chrome, then both browsers will refuse to access the fake iCloud.com site; warnings like those are not ones to ignore and visit the malicious site anyway. Using a VPN service should also allow users to access and login to the real iCloud site. Users are encouraged to enable Apple’s two-step verification to prevent anyone else from accessing their account even if an attacker has the password.
GreatFire believes the attack “may also somehow be related again to images and videos of the Hong Kong protests being shared on the mainland. The authorities only attacked IP 23.59.94.46. Not all users in China are affected because the iCloud DNS might return different IP addresses.”
The iPhone 6 launched late in China, on Oct. 17, due to the China’s Ministry of Industry and Information Technology opposition to the device’s encryption being enabled by default. That wasn’t how it was worded as the Chinese regulator claimed iOS 8 had three suspected security flaws in “background services.” Ironically, after MIIT claimed “it was paying ‘great attention’ to protecting user’s privacy on smartphones,” it added, "If it's discovered that any related businesses are involved in violating user's privacy, they will be investigated and dealt with according to the law."
FBI Director Comey objects to “sophisticated encryption” because it could create a “black hole” for the “good guys” where the “bad guys” can hide. He called for a debate to find the right “balance” between security and privacy. But the EFF called the debate “phony,” before adding, “Comey wants everybody to have weak security, so that when the FBI decides somebody is a ‘bad guy,’ it has no problem collecting personal data.”
Chinese authorities have to know not everyone with an iPhone is a “bad guy,” just as Comey does, but clearly China believes its “need” to snoop justifies a nationwide Big Brother-in-the-browser attack.