This article is more than 1 year old
APPLE support doc CONFIRMS 'ORGANIZED NETWORK ATTACKS'
China govt: It wasn't us, honest
Apple is warning its iCloud users over heightened spying risks following the discovery of attacks which security watchers have claimed are down to crude snooping by the Chinese government.
Without naming China directly, Apple said it was "aware of intermittent organised network attacks" on its iCloud service designed to obtain user information. A support page article published on Tuesday advises users to pay close attention to browser warnings about fake certificates and never to enter passwords into sites that push out certificate warnings.
We’re aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously. These attacks don't compromise iCloud servers, and they don't impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser.
The iCloud website is protected with a digital certificate. If users get an invalid certificate warning in their browser while visiting www.icloud.com, they should pay attention to the warning and not proceed. Users should never enter their Apple ID or password into a website that presents a certificate warning.
China is allegedly intercepting encrypted iCloud *and* Windows Live logins of local users, according to watchdog site GreatFire.org. The man-in-the-middle style attack on Apple’s iCloud follows recent snooping on Github, Google, Yahoo and Microsoft but differs by being even more wide-ranging and extensive.
"This is clearly a malicious attack on Apple in an effort to gain access to usernames and passwords and consequently all data stored on iCloud such as iMessages, photos, contacts, etc," GreatFire.org reports. "Unlike the recent attack on Google, this attack is nationwide and coincides with the launch today in China of the newest iPhone ."
Previous attacks against users of Google and Yahoo aimed at harvested search history but the latest snooping appears geared at gaining access to raw account data – including users' iMessages, photos and contacts. The snooping campaign may be motivated by an attempt to identify who has been sharing images and videos of the Hong Kong protests on the Chinese mainland.
The Chinese government has denied any links to the attacks.
"China is resolutely opposed to hacker attacks in all forms and China itself is a major victim of cyber attacks," Chinese Foreign Ministry spokeswoman Hua Chunying said at a daily news briefing, Xinhua reports.
Nevertheless, GreatFire.org claimed: "If users ignored the security warning and clicked through to the Apple site and entered their username and password, this information has now been compromised by the Chinese authorities."
Whoever is behind the attack, it appears to be geared towards harvesting Apple iCloud and Windows Live (Hotmail) logins, as a technical description (complete with screenshots) by the privacy advocates explains. Put simply: connecting to Apple's iCloud from China redirects surfers to a bogus log-in page that harvest login credentials before relaying them to genuine iCloud log-in servers.
GreatFire.org's warning has attracted a great deal of attention. The Chinese Foreign Ministry has responded by blaming "hacker infiltration" in reports issued through the official Xinhua Chinese government news agency.
China Telecom has denied reports it might be facilitating government-backed iCloud snooping as "untrue and unfounded", the BBC adds.
Security watchers are unconvinced by these denials. GreatFire.org has put together a wealth of evidence of malfeasance including a self-signed certificate used in the attack, trace-routes, wire captures and connection logs.
Network forensics firm Netresec reports that the iCloud attack is being run from networks belonging to China Telecom, and China Unicom, two state-controlled broadband providers. If this is the case, the attack originates from deep within in China's own domestic network.
Steve Hultquist, chief evangelist at network visibility and analytics firm RedSeal, opined: “China uses a nationwide firewall system through which they force all internet traffic to pass so they can filter both what enters and what leaves China." He added: "This firewall has been used to censor information and also to block various VPN systems from providing unfiltered links to the rest of the internet. Given the recent release of the more-secure iOS 8, it's possible that the government hopes to capture access to iCloud and Microsoft accounts through a MitM attack that captures username and password information."
There's is no obvious cybercrime or cyber-hacktivist motive for the latest attacks. Intel agencies - most notably GCHQ (example involving targets at Belgacom and faked LinkedIn pages here) - have been accused of running MitM attacks in the past, but there are few indications any government outside China might be involved in this ongoing iCloud snooping.
"All the evidence I've seen would support that this is a real attack," Mikko Hypponen, chief research officer at F-Secure told the BBC. He claimed: "The Chinese government is directly attacking Chinese users of Apple's products."
"China's iCloud hack is so blatant, they're not even trying to hide it" noted one EFF policy analyst on Twitter.
RedSeal Hultquist advised Chinese iCloud users to tread carefully and use two-factor authentication. “Consumers in China should use strong security – such as 2-factor authentication – for all internet accounts. There is an ongoing battle between those who desire to capture information and those who desire to communicate without surveillance. The blocking of VPN services by the Great Firewall is just one example of the ongoing conflict,” he concluded. ®