Chinese authorities have launched man-in-the-middle (MITM) attacks on Apple’s iCloud.com and Microsoft’s Login.live.co, according to Greatfire.org.
Qihoo 360 browser users’ local connections to iCloud.com are being rerouted to a dummy site that’s identical to Apple’s login page, Greatfire said.
Users of Firefox or Chrome land on a warning page instead.
The attack on iCloud is nationwide, Greatfire reported. It’s taking place at the level of the Great Firewall, so it’s likely an effort by the Chinese authorities to harvest usernames and passwords, as well as data stored on iCloud.
“China uses a nationwide firewall system through which they force all Internet traffic to pass so they can filter both what enters and what leaves [the country],” Steve Hultquist, chief evangelist at RedSeal, told TechNewsWorld.
Although it’s possible cybercriminals with high-level political connections and good technical skills are behind the attack, “it would be far more difficult for cybercriminals to get access to devices in the middle of a connection from consumers to Apple than for the so-called GreatFirewall to do so,” Hultquist said.
How the Attack Works
The Great Firewall of China implemented the MITM attack on iCloud using a self-signed certificate.
The attack targets only one IP address: 22.214.171.124, which means not all users in China would be affected.
Beijing may have attacked only one IP address as a test, Hultquist suggested.
“Given the recent release of the more-secure iOS 8, it’s possible that the government hopes to capture access to iCloud and Microsoft accounts through an MITM attack that captures usernames and password information,” he speculated. “Given the Chinese government’s approach to Internet access and information flow, starting with a test of the availability of the attack makes sense.”
The extent of the MITM attack may be overblown, given that only one IP address has been targeted so far, and it’s not clear how popular the Qihoo browser is — it’s either one of the three most popular browsers in China or doesn’t even rank in the top six, depending on whose statistics are accurate, according to ChinaInternetwatch.
Still, the hack “is very similar” to the recent hacks of celebrity accounts that led to the publishing of nude photos of the victims on the Web, Hultquist noted.
Greatfire listed URLs for the wirecaptures and traceroutes for attacks on both targets.
Is Beijing Cutting its Eyes at Apple?
Apple has worked closely with the Chinese authorities in the past, removing apps from its app store in China at their request, Greatfire said.
The MITM attacks appear to have coincided with the launch in China of the iPhone 6, sparking speculation by Greatfire that there’s a tie-in to the increased security offered by iOS 8. Or perhaps Beijing may be seeking to clamp down on dissemination of information about the student protests in Hong Kong.
The attack on iCloud “may indicate that there is at least some conflict between the Chinese authorities and Apple over some of the features on the new phone,” Greatfire suggested.
Ni Hao, James Comey?
In targeting iOS 8’s security measures, Beijing has taken the same stance as FBI director James Comey, who has complained repeatedly that the increased security makes it difficult for his agency to do its job.
Perhaps the FBI could take a leaf from Beijing’s book and launch its own MITM attack.
This scenario wouldn’t be too far-fetched — the FBI has launched a drive-by attack on Freedom Hosting to winkle out users of the Tor network, which provides anonymity to users. The attack exploited a Firefox and Tor update called “CVE-2013-1690,” with the malware hidden in a variable named “Magneto.”
That malware gathered the target’s Mac address and the Windows hostname and sent them to a server in Virginia, nullifying the anonymity Tor provides.
On the other hand, as far as is known, the FBI limits its targets to criminals, child pornographers and terrorist suspects.
“This is what nation-states do to ‘protect’ their citizens,” Philip Lieberman, president of Lieberman Software, told TechNewsWorld.
Apple’s FoundationDB open sources the database layer behind CloudKitJanuary 25, 2019