{"id":260212,"date":"2021-05-27T11:16:42","date_gmt":"2021-05-27T08:16:42","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/chinese-hackathon-reportedly-revealed-ios-breach-exploited-it-to-spy-on-uyghurs\/"},"modified":"2021-05-27T11:16:42","modified_gmt":"2021-05-27T08:16:42","slug":"chinese-hackathon-reportedly-revealed-ios-breach-exploited-it-to-spy-on-uyghurs","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/chinese-hackathon-reportedly-revealed-ios-breach-exploited-it-to-spy-on-uyghurs\/","title":{"rendered":"#Chinese hackathon reportedly revealed iOS breach, exploited it to spy on Uyghurs"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a39a1413d5aa\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a39a1413d5aa\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/chinese-hackathon-reportedly-revealed-ios-breach-exploited-it-to-spy-on-uyghurs\/#Hacking_competitions\" >Hacking competitions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/chinese-hackathon-reportedly-revealed-ios-breach-exploited-it-to-spy-on-uyghurs\/#Zero-day_attacks\" >Zero-day attacks<\/a><\/li><\/ul><\/nav><\/div>\n<p>&#8220;<strong>#Chinese hackathon reportedly revealed iOS breach, exploited it to spy on Uyghurs<\/strong>&#8221;<\/p>\n<div>When <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">App<\/a>le announced in a 2019 <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.apple.com\/newsroom\/2019\/09\/a-message-about-ios-security\/\">blog post<\/a> that it had patched a security vulnerability in its iOS operating system, the company sought to reassure its customers. The attack that had exploited the vulnerability, Apple said, was \u201cnarrowly focused\u201d on websites featuring content related to the Uyghur community.<\/p>\n<p><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.technologyreview.com\/2021\/05\/06\/1024621\/china-apple-spy-uyghur-hacker-tianfu\/\">It has since emerged<\/a> that the vulnerability in question was discovered at China\u2019s principal hacking competition, the Tianfu Cup, where a professional hacker won a prize for his work in uncovering it. The normal protocol would be to inform Apple of the vulnerability. But it\u2019s alleged that, instead, the breach was kept secret, with the Chinese government acquiring it to <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.technologyreview.com\/2021\/05\/06\/1024621\/china-apple-spy-uyghur-hacker-tianfu\/\">spy on the country\u2019s Muslim minority<\/a>.<\/p>\n<p>Hacking competitions are an established way for <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" data-internallinksmanager029f6b8e52c=\"4\" title=\"Technology\" target=\"_blank\" rel=\"noopener\">technology<\/a> companies like Apple to locate and attend to weaknesses in their software\u2019s cybersecurity. But with <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.itpro.co.uk\/security\/zero-day-exploit\/358760\/microsoft-exchange-zero-day-hack\">state-backed hacks<\/a> on the rise, the suggestion that the Tianfu Cup is feeding Beijing new ways to perform surveillance is concerning \u2013 especially seeing as Chinese competitors have dominated international hacking competitions for years.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Hacking_competitions\"><\/span>Hacking competitions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When software is hacked, it\u2019s often because attackers have found and exploited a cybersecurity vulnerability that the software vendor didn\u2019t know existed. Finding these vulnerabilities before they\u2019re spotted by <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.zdnet.com\/article\/cybercrime-and-cyberwar-a-spotters-guide-to-the-groups-that-are-out-to-get-you\/\">cyber-criminals or state-backed hackers<\/a> can save technology providers a huge amount of money, time, and public-relations firefighting.<\/p>\n<p>That\u2019s why hacking competitions exist. Tech companies provide the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.zerodayinitiative.com\/blog\/2021\/1\/25\/announcing-pwn2own-vancouver-2021\">prize money<\/a> and cybersecurity researchers \u2013 or professional hackers \u2013 compete to win it by finding the security weaknesses hidden in the world\u2019s most-used software. The likes of Zoom and Microsoft Teams were <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.forbes.com\/sites\/thomasbrewster\/2021\/04\/08\/microsoft-teams-and-zoom-hacked-in-1-million-competition\/\">successfully hacked<\/a> in April\u2019s Pwn2Own event, for instance, which is regarded as the top hacking competition in North America.<\/p>\n<p>Until 2017, Chinese hackers walked away with a <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/news.cgtn.com\/news\/3d59544e32417a4d\/share_p.html\">high proportion of prizes<\/a> offered at Pwn2Own. But after a Chinese billionaire <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/tech.sina.cn\/i\/gn\/2017-09-12\/detail-ifykusey8931658.d.html?vt=4\">argued<\/a> that Chinese hackers should \u201cstay in China\u201d because of the strategic value of their work, Beijing responded by <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.cyberscoop.com\/pwn2own-chinese-researchers-360-technologies-trend-micro\/\">banning Chinese citizens<\/a> from competing in overseas hacking competitions. China\u2019s Tianfu Cup was set up shortly after, in 2018.<\/p>\n<p>In its first year, a hacker competing in the Tianfu Cup produced a prize-winning hack he called \u201c<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/threatpost.com\/chaos-iphone-x-jailbreak\/141104\/\">Chaos<\/a>\u201d. The hack could be used to remotely access even the latest iPhones \u2013 the kind of breach that could easily be used for surveillance purposes. <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/googleprojectzero.blogspot.com\/2019\/08\/a-very-deep-dive-into-ios-exploit.html\">Google<\/a> and <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.apple.com\/newsroom\/2019\/09\/a-message-about-ios-security\/\">Apple<\/a> both spotted the hack \u201cin the wild\u201d two months later, after it had been used in a targeted way against Uyghur iPhone users.<\/p>\n<p><iframe loading=\"lazy\" title=\"[Demo] iPhone X iOS 12.1 remote jailbreak [Chaos]\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/JznReTetgOI?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<p>Though Apple mitigated the hack within two months, this case shows that exclusive national hacking competitions are dangerous \u2013 especially when they take place in countries that <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.hrw.org\/world-report\/2020\/country-chapters\/global\">require citizens to cooperate<\/a> with government demands.<\/p>\n<p>Hacking competitions are designed to expose \u201czero-day\u201d vulnerabilities \u2013 security weaknesses that software vendors haven\u2019t located or foreseen. Prize-winning hackers are supposed to share the techniques they used so that the vendors can devise ways to patch them up. But keeping zero-day exploits private, or passing them on to government institutions, significantly increases the chance they\u2019ll be used in state-backed zero-day attacks.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Zero-day_attacks\"><\/span>Zero-day attacks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>We\u2019ve seen examples of such attacks before. <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.csoonline.com\/article\/3616699\/the-microsoft-exchange-server-hack-a-timeline.html\">Early in 2021<\/a>, four zero-day vulnerabilities in the Microsoft Exchange server were used to launch widespread attacks against <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.wsj.com\/articles\/china-linked-hack-hits-tens-of-thousands-of-u-s-microsoft-customers-11615007991?mod=tech_lead_pos1\">tens of thousands of organizations<\/a>. The attack has been <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.itpro.co.uk\/security\/zero-day-exploit\/358760\/microsoft-exchange-zero-day-hack\">linked with Hanium<\/a>, a Chinese government-backed hacking group.<\/p>\n<p>A year earlier, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.businessinsider.com\/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?op=1\">the SolarWinds hack<\/a> compromised the security of multiple US federal agencies, including the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.bbc.com\/news\/world-us-canada-55265442\">Treasury and Commerce Department<\/a> and the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.chathamhouse.org\/2021\/02\/solarwinds-hack-valuable-lesson-cybersecurity?gclid=Cj0KCQjwo-aCBhC-ARIsAAkNQivQecAKCMQKg23wXNavyLrz5r6xn9tFy2XUwmYK08r5GT0ReriiKOwaAqtKEALw_wcB\">Energy Department<\/a>, which is in charge of the country\u2019s nuclear stockpile. The hack has been linked to <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/groups\/G0016\/\">APT29<\/a>, also known as \u201c<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.independent.co.uk\/news\/uk\/home-news\/cozy-bear-russia-hacking-coronavirus-vaccine-oxford-imperial-college-a9623361.html\">Cozy Bear<\/a>\u201d, which is the hacking arm of Russia\u2019s foreign intelligence service, the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.bbc.com\/news\/10447308\">SVR<\/a>. The same group was reportedly involved in the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.wired.co.uk\/article\/russia-hack-coronavirus-vaccine\">attempted hacking<\/a> of organizations holding information about COVID-19 vaccines in July 2020.<\/p>\n<p>In Russia and China at least, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.ibtimes.co.uk\/nation-state-hackers-vs-cybercriminal-gangs-separation-tactics-no-longer-exists-1611556\">evidence suggests<\/a> that gangs of cybercriminals are working closely, and sometimes interchangeably, with state-sponsored hacking groups. With the advent of the Tianfu Cup, China appears to have access to a new talent pool of expert hackers, motivated by the competition\u2019s prize money to produce potentially harmful hacks that Beijing may be willing to use both at home and abroad.<!-- Below is The Conversation's page counter tag. Please DO NOT REMOVE. --><img loading=\"lazy\" decoding=\"async\" style=\"border: none !important; box-shadow: none !important; margin: 0 !important; max-height: 1px !important; max-width: 1px !important; min-height: 1px !important; min-width: 1px !important; opacity: 0 !important; outline: none !important; padding: 0 !important; text-shadow: none !important;\" alt=\"The Conversation\" width=\"1\" height=\"1\" class=\"js-lazy\" src=\"https:\/\/counter.theconversation.com\/content\/161226\/count.gif?distributor=republish-lightbox-basic\"\/><!-- End of code. If you don't see any code above, please get new code from the Advanced tab after you click the republish button. The page counter does not collect any personal data. More info: https:\/\/theconversation.com\/republishing-guidelines --><\/p>\n<p><noscript><img loading=\"lazy\" decoding=\"async\" style=\"border: none !important; box-shadow: none !important; margin: 0 !important; max-height: 1px !important; max-width: 1px !important; min-height: 1px !important; min-width: 1px !important; opacity: 0 !important; outline: none !important; padding: 0 !important; text-shadow: none !important;\" src=\"https:\/\/counter.theconversation.com\/content\/161226\/count.gif?distributor=republish-lightbox-basic\" alt=\"The Conversation\" width=\"1\" height=\"1\" class=\"\" srcset=\"\"\/><\/noscript><\/p>\n<p><em>This article by\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/profiles\/chaminda-hewage-808758\">Chaminda Hewage<\/a>, Reader in Data Security, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/institutions\/cardiff-metropolitan-university-1585\">Cardiff Metropolitan University<\/a> and <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/profiles\/elochukwu-ukwandu-1234613\">Elochukwu Ukwandu<\/a>, Lecturer in Computer Security, Department of Computer <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/sciencee\/\" data-internallinksmanager029f6b8e52c=\"5\" title=\"Science\" target=\"_blank\" rel=\"noopener\">Science<\/a>, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/institutions\/cardiff-metropolitan-university-1585\">Cardiff Metropolitan University<\/a> is republished from <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\">The Conversation<\/a> under a Creative Commons license. Read the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/a-chinese-hacking-competition-may-have-given-beijing-new-ways-to-spy-on-the-uyghurs-161226\">original article<\/a>.<\/em><\/p>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/thenextweb.com\/news\/chinese-hackathon-revealed-ios-breach-exploited-it-uyghurs-surveillance-syndication\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#Chinese hackathon reportedly revealed iOS breach, exploited it to spy on Uyghurs&#8221; When Apple announced in a 2019 blog post that it had patched a security vulnerability in its iOS operating system, the company sought to reassure its customers. The attack that had exploited the vulnerability, Apple said, was \u201cnarrowly focused\u201d on websites featuring content&#8230;<\/p>\n","protected":false},"author":1,"featured_media":260213,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/img-cdn.tnwcdn.com\/image\/tnw?filter_last=1&fit=1280,640&url=https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/05\/chinese-hackers.jpg&signature=50668e4d6cf285c1b5b62dbae8795fe1","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-260212","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/260212","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=260212"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/260212\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/260213"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=260212"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=260212"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=260212"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}