Apple Balances China Profits, Privacy
Chinese Government Denies Hacking iCloud UsersApple CEO Tim Cook traveled to China Oct. 22 in the wake of allegations that state-sponsored hackers had begun targeting iCloud users.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
While in China, Cook met with Chinese Vice Premier Ma Kai and "exchanged views on protection of users' information," reported China's state-run Xinhua news agency. During his visit, Cook also announced that Apple plans to augment its roster of 15 Apple Stores in China with 25 new outlets, according to an interview transcript on Sina.com.
Cook's visit came after Apple issued an alert to iCloud users - in which China was not named - warning of "intermittent organized network attacks using insecure certificates" that were designed to intercept personal information. The alert didn't name any potential culprit, but warned users to heed any certificate warnings, especially when browsing to www.icloud.com. "Users should never enter their Apple ID or password into a website that presents a certificate warning," Apple's alert said.
While Apple didn't name names, the initial report of man-in-the-middle attacks against iCloud users, which came from anti-censorship group Greatfire.org, directly accused the Chinese government of being behind the attacks. "The Great Firewall of China is now wiretapping Apple's iCloud," it said. "This is clearly a malicious attack on Apple in an effort to gain access to usernames and passwords and consequently all data stored on iCloud such as iMessages, photos, contacts, etc."
But Chinese Foreign Ministry spokeswoman Hua Chunying has dismissed the report as being "wild guesses and malicious blemish," Xinhua reported. "China is resolutely opposed to hacker attacks in all forms, and China itself is a major victim of cyber-attacks," she said.
Attacks Coincide With iPhone Launch
The iCloud attacks coincided with the Oct. 17 launch in China of the iPhone 6, which includes stronger default encryption for numerous types of data. "The timing is very suggestive that people are trying to hoover up credentials so that from a later date they could get in and have a look," says Alan Woodward, who's a visiting professor at the department of computing at England's University of Surrey, as well as a Europol advisor.
By stealing iCloud credentials, authorities could access data that would otherwise be tough to retrieve from Apple's latest smart phones. "The iPhone might have military-grade AES-256 encryption, but if you back up to iCloud - or as I like to call it, 'somebody else's computer' - why not go for iCloud? Why charge at the thing head on? Go around the side," Woodward says.
Furthermore, anyone who uses an iPhone 6 in China may be placing themselves under greater scrutiny by state authorities, given the device's improved data encryption. "Each new development in defensive measures will see developments in how to circumvent that security," says Dublin-based information security consultant Brian Honan, who's an adviser to Europol.
Man-In-The-Middle Attack
Furthermore, because the telecommunications firms that run the Chinese Internet are state-owned, this type of attack wouldn't have been difficult for a government agency to execute, security experts say. "If you have control of the targets' traffic, such as managing their DNS servers, then you will be in a strong position to manipulate their traffic and undermine their security," Honan says.
In fact, this appeared to be a rather simple attack, which relied on users ignoring or dismissing browser warnings about invalid certificates, and then getting routed to a spoof site. "It is a man-in-the-middle attack, where the attackers are spoofing a site that users would normally trust," Woodward says. "Unfortunately it is possible to obtain certificates relatively easily, with minimal checking of ID, and so you can look remarkably similar to genuine sites."
But not all browsers have invalid-certificate alerts, Greatfire warns. While Chrome, Firefox and Safari offer the alerts, "Qihoo's popular Chinese 360 secure browser ... will load the MITMed page directly," the company notes.
A Profitable Market
Cook's trip to China reflects just how valuable the massive Chinese market is for the technology giant, even though Apple isn't one of the country's biggest smart phone sellers by volume, according to research firm Counterpoint Technology Market Research.
But Apple's smart phone profits are among the highest in the business, Peter Richardson, research director at Counterpoint, tells Information Security Media Group. "Between them, Apple and Samsung account for nearly all industry profits - greater than 95 percent [worldwide]," he says.
Because so much of Apple's manufacturing is based in China, it probably can't afford to alienate Chinese government officials. So that may make it difficult for the company to presuade government agencies to cease any attempts to undermine Apple users' data security.
"Tim Cook has an unenviable balancing act to perform," Woodward says. "China will want some way of mounting surveillance of their users, and privacy is quite alien in their culture, so Apple may find they are under pressure to meet them half way. It's not dissimilar to Google agreeing to participate in censorship - they eventually found that they couldn't live with the compromises and so had to withdraw [from the Chinese market]."