In 2019, a Chinese security researcher working with the internet security and antivirus company Qihoo 360 unveiled an intricately woven exploit: One that would allegedly let a remote attacker easily jailbreak an iPhone X iOS 12.1.
The researcher, Qixun Zhao, dubbed the exploit Chaos, for good reason. As this proof-of-concept video allegedly shows, a successful exploit would allow a remote attacker to jailbreak an iPhoneX, with the targeted user none the wiser, allowing the intruder to gain access to a victim’s data, processing power and more. It worked as a drive-by malware download, only requiring that the iPhone user visit a web page containing Qixun’s malicious code.
It would have made a superb spying tool, seeing how it would let an attacker easily take control of even the newest, most up-to-date iPhones, enabling a snooper to read a victim’s messages and passwords and to track their location in near-real time.
According to a report published by MIT Technology Review on Thursday, that’s exactly what happened: “Virtually overnight,” Chinese intelligence allegedly used the exploit as a weapon before Apple could fix the problem.
The publication said that, according to its sources, the U.S. has amassed details of how the Chaos exploit was used to hack China’s Uyghur Muslims — a common target of espionage campaigns. The claim is bolstered by earlier reporting: In August 2019, sources told TechCrunch that malicious websites used to hack into iPhones over two years were targeting the Uyghurs.
Look-Alike Exploits
Google security researchers had found and disclosed the malicious websites a week before TechCrunch’s report, but they hadn’t initially known who the malicious sites were targeting. However, they knew that the code looked familiar: In an in-depth examination, Google noted how similar the malicious-sites exploit was to Chaos.
Now, MIT Technology Review has learned that the U.S. had come to the same conclusion, and that it had “quietly” informed Apple. Apple, which had been tracking the attack, had already come to the same conclusion on its own: That the Chaos exploit and the attacks on Uyghurs were “one and the same,” as the outlet puts it.
Prioritizing a difficult fix, Apple issued an update to patch the flaw in January 2019.
The patch arrived two months after Chaos had been unveiled at the inaugural Tianfu Cup: A Chinese hacking contest that came into being a few months after the country banned its cybersecurity research teams from competing in the Pwn2Own hacking competition…or, for that matter, in any global hacking or capture-the-flag competitions.
Keeping Security Know-How at Home?
The ban on researchers attending foreign competitions apparently grew out of a distaste for giving away vulnerabilities – via disclosure in public to conference audiences or to hacking programs in real-time. Both the ban and the subsequent launch of the Tianfu Cup had followed close on the heels of an announcement from Qixun’s boss – Zhou Hongyi, the billionaire founder and CEO of Qihoo 360 – criticizing the export of vulnerabilities that, once made public, can “no longer be used.” Both the researchers and their know-how should “stay in China,” he said, in order to maximize the “strategic value” of zero days.
In an interview with the Chinese news site Sina, the influential CEO called the achievement of winning cash prizes at foreign competitions “imaginary.”
Qixun Zhao has emphatically denied involvement, telling MIT Technology Review that he couldn’t remember who came into possession of the exploit code following his win – for which he was awarded $200,000 – at Tianfu Cup. Although he’s suggested that the exploit used against Uyghurs was probably used “after the patch release,” both Google and Apple have documented how it was used before the January 2019 fix. His exploit shares code from other exploit writers, he said, but Apple and U.S. intelligence sources told MIT Technology Review that the exploits aren’t similar; in fact, they’re the same. Qixun may well not be personally involved, given that Chinese law requires citizens and organizations to cooperate with intelligence agencies when asked.
Threatpost reached out to Qixun, Qihoo and Apple for comments and will update the article accordingly.
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.