Chinese Government's Hacker Competition Is Being Used To Find Exploits To Wield Against Uighur Citizens

from the aiding-and-abetting dept

Anything the Chinese government can weaponize against its Uighur Muslim population, it will. And has. Further details about an iPhone exploit discovered by Chinese hackers show the Chinese government got into the bug bounty program solely to find vulnerabilities to wield against the government's least-liked residents.

Patrick Howell O'Neill's article for MIT Technology Review points out Chinese hackers used to participate in popular hacking competitions like Pwn2Own, providing invaluable assistance to tech companies and tech users by finding vulnerabilities that could be patched before they were exploited by malicious hackers.

In 2017, Chinese participation in international competitions came to a halt. The founder and CEO of tech giant Qihoo 360 publicly criticized Chinese hackers for helping foreign tech companies find and patch security flaws. The CEO suggested this talent should stay at home and help the government find vulnerabilities to exploit.

That's exactly what has happened. The Chinese government banned participation in foreign hacking competitions and started its own. The first homegrown event was won by a researcher working for Qihoo 360, who found an exploit that allowed malicious actors to take control of even the latest iPhones simply by steering the iPhone user to a webpage containing malware.

This was patched two months later by Apple, quietly and with little attention drawn to it. But incidents occurring in the two months between the discovery and the patch didn't go unnoticed. Google's security researchers observed unusual activity and wrote about it.

[I]n August of [2019], Google published an extraordinary analysis into a hacking campaign it said was “exploiting iPhones en masse.” Researchers dissected five distinct exploit chains they’d spotted “in the wild.” These included the exploit that won Qixun [of Qihoo 360] the top prize at Tianfu, which they said had also been discovered by an unnamed “attacker.”

Now, more details about that string of attacks has been revealed. And it shows the Chinese government took the winning exploit and weaponized it against its Uighur population.

Shortly after Google’s researchers noted the attacks, media reports connected the dots: the targets of the campaign that used the Chaos exploit were the Uyghur people, and the hackers were linked to the Chinese government. Apple published a rare blog post that confirmed the attack had taken place over two months: that is, the period beginning immediately after Qixun won the Tianfu Cup and stretching until Apple issued the fix.

This has now been confirmed by another source: the US government. Its surveillance agencies also picked up on the malicious hacking efforts and noted their targeting of China's favorite target of oppression. And it was the government's intervention that sped up Apple's response to the exploit.

The US quietly informed Apple, which had already been tracking the attack on its own and reached the same conclusion: the Tianfu hack and the Uyghur hack were one and the same. The company prioritized a difficult fix.

This is the sort of cooperation one prefers to see. The federal government has often portrayed Apple as an enemy -- not just of agencies like the DOJ, but of the American public. In this case, the government worked with Apple to stop attacks on foreign citizens by a foreign government. The Chinese government made the most of this exploit for two months -- one it obtained through a homegrown hacking competition that appears to exist solely to create offensive tech weapons for state-ordained hacking.

Meanwhile, the hacker who discovered the exploit and collected the cash (all while working for the company whose CEO called for Chinese hackers to stop helping foreign companies and start helping The Man stick it to locals and foreign adversaries) is trying to distance himself from the damage his exploit has wrought.

When we contacted Qixun Zhao via Twitter, he strongly denied involvement, although he also said he couldn’t remember who came into possession of the exploit code. At first, he suggested the exploit wielded against Uyghurs was probably used “after the patch release.”

Both of these claims are untrue. And both have been debunked by both independent research and US government surveillance. While it's unwise to tangle with the Chinese government by refusing to hand over discovered vulnerabilities, it's probably a little easier to sidestep that obligation by sitting out government-sponsored hacking competitions. In the end, this isn't the researcher's fault. The government chose to use it this way. But anyone entering a Chinese government-sponsored hacking competition is likely well aware any discoveries they make will be weaponized by an extremely oppressive government.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: china, exploits, hackathon, hackers, hacking competition, surveillance, uighurs
Companies: apple


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 14 May 2021 @ 7:49pm

    In this case, the government worked with Apple to stop attacks on foreign citizens by a foreign government.

    ... because there are those in the American government who also use iPhones. If it had not been a rival government, and in the wild, the NSA would have sat on that vulnerability until the last plausibly deniable moment.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 15 May 2021 @ 6:26am

    disgusting! is it any wonder why communism is despised worldwide, only active in nations where those at the top of the political chain force it to be, under penalty of imprisonment or even death for non-compliers?

    link to this | view in thread ]

  3. icon
    PaulT (profile), 15 May 2021 @ 10:14am

    Re:

    Because the US would never do anything similar...

    In other news, there's a bridge that's recently become available and I'm looking for investors.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 16 May 2021 @ 1:11am

    Re: Re:

    Of course, imagine those "police only backdoors" only being used to catch criminals...

    link to this | view in thread ]

  5. icon
    Scary Devil Monastery (profile), 17 May 2021 @ 12:46am

    Re:

    "is it any wonder why communism is despised worldwide..."

    Well, you are certainly correct about communism. It is, in theory, the perfect social system - if every human worked like a computer, assigning resources according to need and capacity. Since humans aren't perfect communism instead always turns out to be one which benefits a very few at the top at the expense of just about everyone else.

    This is true about every political system but free market capitalism, to name one example, at least incorporates human greed and ambition as a key mechanism. Doesn't make those traits good and without regulation or solid checks and balances pure capitalism becomes as odious as communism.

    Here's the thing; China can call itself "communist" as much as it like but that doesn't make it true. Politically China is the same animal it's always been - a feudal burecucracy governed by an elite conglomeration of old educated clans of academic elites, all wearing an emperor - or president for life - as a figurehead.
    "Communism" is what they've used to convince and brainwash their citizenry while using the same tried-and-true old imperial formula of keeping enough people happy to maintain their government and use iron fists on the rest.

    "...under penalty of imprisonment or even death for non-compliers?"

    Have you looked at the US lately? Scratch that, have you even read US history books? Oppression, genocide, and taking down the minority is a core part of north american history. Just ask asian americans, african americans, the latino community, and, of course, ze jews. Always the jews. And even they have it comparatively easy compared to native americans.

    When studies keep showing that for the same crimes black and latino people are convicted more often and to more severe sentences than white people, it gets real hard for the US to claim moral high ground.

    China's oppression of the Uyghur is not a new story. It goes back many centuries and the victimization of the civilian population has gone unnoticed or been ignored by the west for as long as the western powers have been aware of it.

    In recent times because the US is no longer able to lead the world against ANY moral failing. Not after Abu Ghraib and Guantanamo. Not after the Patriot Act. Not after the war of aggression against Iraq under ridiculously obvious false pretenses.
    GWB and Donald Trump managed to eliminate the US completely as a credible leader.

    This is terrifying as the world certainly needs someone both able to point out to great nations behavior which is not OK or deplorable.

    This is made extra hard as China has been able to consistently call on the same excuses the US has for their actions; in the 50's the Uyghurs managed to briefly secede, aligned with the Soviet Union. In the 2000's the Uyghur independent movement aligned with first Al-quaeda and later on, ISIS/Daesch.

    This means that every time an american diplomat has the balls to raise the question of Uyghur internment camps the chinese response is "So, tell us about Abu Ghraib. Have you dismantled Guantanamo yet? Would you care to take a loot at american mass incarceration statistics?" - and the american diplomat falls silent.

    Two wrongs don't make a right. It's just that no one wants to listen to the obvious hypocrite condemning others for failings they themselves possess.

    link to this | view in thread ]

  6. identicon
    Taska Louwenskie, 22 May 2021 @ 6:22pm

    Effective Use of Talent

    It's funny that the article criticized the Chinese government for taking advantage of the competition to weaponize an exploit. They don't need to. They can simply do surveillance with brute force, simple, straightforward and intimidating. Using a vulnerability is a pretty mild act. Don't forget that China's Great Firewall is much more powerful and effective than exploiting a vulnerability of the iPhone. And also don't forget that iPhone users are a relatively small group in China.

    Governments around the world have been monitoring and tracking their citizens in broad daylight. Ever since Snowden's revelation, they have even done away with their hypocritical veil of secretly watching our back, they just put everyone under their watch, I mean everyone, discriminately. If you think the Chinese government is awful, well, bad news for you, you are being watched as well, wherever you are.

    Speaking of oppression against the Uighur Muslims, it's sort of like the treatment of the Black people, the Asian people, and the Hispanic people by the whites in the US. The thing is that the Chinese Muslims waged violent terrorist attacks in several Chinese cities and they also started this jihadist separatist movement to cede away from China. Well, the Chinese government has to do something, and nothing they do will be pretty. Remember what the US did after 911?

    link to this | view in thread ]

  7. icon
    Chris Torris (profile), 3 Jul 2021 @ 3:03pm

    Yes I absolutely think it is possible to hire a hacker but I advise it should only be through the deep web or you can talk to sniffingnose @ repairman . c om
    They have worked for me severally.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.