
China collecting Apple iCloud data - tchalla
https://en.greatfire.org/blog/2014/oct/china-collecting-apple-icloud-data-attack-coincides-launch-new-iphone
======
dmix
China's surveillance is always so blatant and public, they don't bother trying
to hide it like America (which is analogous to political corruption in both
countries).

When the artist Ai Weiwei had his email account compromised by the state, they
simply logged into his email webmail UI and forwarded a copy of his emails to
a 3rd party email address. They didn't even bother intercepting his email at
the network or service provider level.

Edit: > "Apple increased the encryption aspects on the phone allegedly to
prevent snooping from the NSA. However, this increased encryption would also
prevent the Chinese authorities from snooping on Apple user data."

It's a shame articles keep confusing Apple's harddisk encryption with network
data encryption. :\

~~~
owenmarshall
> China's surveillance is always so blatant and public, they don't bother
> trying to hide it like America.

I'm a little shocked - they've surely got the ability to do a proper MITM.
CNNIC is a root CA for plenty of browsers. Saving it up for when they really
need it, maybe?

~~~
cnphil
They've got like tons of CAs.

In China, it's very common for websites to ask people to trust their self-
issued certificates. If you want to buy train tickets in China, you end up
with this page ([https://kyfw.12306.cn/otn](https://kyfw.12306.cn/otn)) which
asks you to trust its own cert.

~~~
owenmarshall
Ah, so there's an expectation amongst Chinese users that a self-signed cert is
sufficient? Well.

~~~
sillysaurus3
I mean, what would you do? If you want the train ticket, you have to accept
those terms. And you need the train ticket.

~~~
larrys
Billions of people. For sure.

This AM electrician comes over, guy in his early 30's (not an old timer) has a
new iphone doesn't know how to sync and get the old stuff to the new iphone.
Doesn't even know that Apple can help him with that. For computer things
relies on his brother in law "the computer guy". Thinks Dell makes great
"computers". "Don't they?" he says to me. Doesn't even really understand the
difference between Mac OS and Windows. [1]

Point being there are tons of people out there that you could get to do
practically anything. And they don't know the difference between one warning
dialog box and another. It's just all a mashup to them.

[1] Add: By that I mean isn't aware that there is even a difference more than
Coke vs. Pepsi is different.

~~~
mogomump
This AM, a software developer comes over to fix my computer he had just bought
a new dimmer for his living room lights. Doesn't even realize that you can't
use a conventional dimmer with compact fluorescent lights. "They are the same,
right?"[1]

[1] Add: By that, I mean he isn't aware of the things he isn't aware of.

Ease up on the geek rhetoric until you walk in his shoes.

~~~
hueving
Way to miss the point. There is no time where we are expected to understand
the subtle differences of dimmers. Users of computers are quite frequently
expected to know which operating system they have when following instructions
just for operating a computer. They will also encounter certificate errors in
day-to-day operations.

~~~
LLWM
They shouldn't be expected to know that though. The problem is that software
developers haven't managed to figure that out and just make things work for
their customers the way electricians have. Can you imagine if you went to the
store to pick up a replacement light bulb and you had to look up whether your
house used AC or DC? It's such a basic difference, everyone should know,
right?

------
ryan-c
I've done some analysis on 360 secure browser's SSL handling in the past. I
don't have my notes handy, but it can easily be taken advantage of by anyone,
not just the Chinese government. I'm somewhat confused by this, as it would
not be difficult to just bundle MitM CAs with this browser.

It's also not as popular as frequently reported. It is widely installed
because many orgs are required to have the security software that bundles it,
but when I was researching it the consensus I got from several Chinese people
was that few people actually used it - "only old people who don't know
computers use it".

~~~
ximeng
Interesting, thanks. How can you measure the popularity? "Several" doesn't
make much of a dent in the Chinese population.

~~~
ryan-c
Yes, that is true, it's a limited sample size, but it agrees with what I've
seen from various sites that measure browser popularity. Having better numbers
would be good.

------
dewiz
"They should also enable two-step verification for their iCloud accounts. This
will protect iCloud accounts from attackers even if the account password is
compromised."

I wonder if 2FA is really that safe in a country like that, they have all the
means to intercept the second channel, it just requires knowledge about the
account owner or some not to complex synchronization to detect auth codes sent
via text messages.

~~~
dwild
That's why I don't like 2FA with SMS. How can you trust a password that's send
in clear through multiple carrier.

A good 2FA doesn't require anything else than the local time to generate the
current password.

~~~
smtddr
_> >That's why I don't like 2FA with SMS. How can you trust a password that's
send in clear through multiple carrier._

Hmm, maybe websites should allow people to select an "encryption" format for
the SMS. Something not too complicated, like a ROT13'ish type of thing:

 _" We'll txt you the code, but every 3 char should be ignored... or every 4th
number should be multipled by 3"_

~~~
DasIch
The general assumption in cryptography that the algorithm used for encryption
is known. Even if you relax that restriction and assume you know which
algorithms a user can choose but not which one she chose, you could still just
try all of them, if they are "not too complicated".

~~~
esrauch
If 3 login attempts invalidate the OTP then you only need a manageable number
of different "known modifications" to tell the user through the secure channel
to keep this safe. If they can arbitrary brute force you OTP anyway then the
OTP isn't really going to be all that useful at 10k possibilities.

That said, hardly any user would be willing to take on such complexity without
very strong reason.

------
hiraki9
Does this only occur when the user logs into iCloud using the web, or does it
happen on the device as well?

Does anyone know if iOS uses certificate pinning when connecting to iCloud
services, and if so if that is sufficient to prevent against this type of
attack?

~~~
preek
It's a classic MITM which includes switching of the SSL certificate. In
regular browsers the user would need either to confirm that they know what
they are doing (Firefox) or not get to the page at all (Chrome).

I'm not an iOS dev, but I do not think that the iOS SDK would allow for
invalid certificates. Then Apple could just go ahead and not use any
encryption at all.

The 'hack' in the article works, because users ignore security warnings or
even use a browser that is clearly made to easily snoop on people.

~~~
daturkel
Minor correction: on Chrome you can still get to the page if the browser
doesn't trust the CA, the option is just hidden.

------
cnphil
iCloud is not the only victim here. Google's IPv6 access has been suffering
the same attack since September. (IPv4 access has been blocked entirely for 5
months)

It's not a shocking news, however. Apple has already moved [1] some of its
storage servers to Beijing. The attack could just be the authorities making
sure that Chinese users' iCloud data is actually stored in China.

[1] [http://techcrunch.com/2014/08/15/apple-taps-china-telecom-
as...](http://techcrunch.com/2014/08/15/apple-taps-china-telecom-as-icloud-
storage-provider-for-customers-in-china/)

~~~
higherpurpose
So China is double-dipping? I was hoping that post-Snowden, this kind of
request from some countries that companies need to store data locally, to make
sure the data isn't taken by the US government, would encourage companies to
encrypt the data end-to-end (client-side), before they get it into their
clouds. Then nobody could complain about the data not being safe from the US
government. It should be safe since even the company shouldn't have access to
it.

I realize this isn't the _real_ reason why China told Apple to build a
datacenter there, but that's the one they used publicly, and as long as the
company itself can get access to that data, then the argument is a pretty
plausible one, even from China. Apple, Google and others could _weaken_ this
argument by adopting end-to-end encryption for their services.

Unfortunately, it seems the companies decided to keep the data as is, but
build the data centers in Russia, China and wherever else they might ask them
to do it.

~~~
pjc50
Apple implemented not-exactly-end-to-end encryption on phones and the _FBI_
publicly complained. Implementing effective encryption would most likely
result in threats of a ban by the Chinese government. See
[http://www.wired.co.uk/news/archive/2013-07/11/blackberry-
in...](http://www.wired.co.uk/news/archive/2013-07/11/blackberry-india)

Ultimately there's only so far you can go against the wishes of the Chinese
government when your factories are there, or against the US government when
your HQ is there.

~~~
aroch
Apple products are already banned for Gov usage.

[http://www.reuters.com/article/2014/08/06/us-china-apple-
idU...](http://www.reuters.com/article/2014/08/06/us-china-apple-
idUSKBN0G60JQ20140806)

------
zaroth
Would HSTS have helped in this situation?

HSTS is mainly to prevent SSL-stripping. But I think part of HSTS could also
note that the certificate was trusted, and then having an HSTS header could
entirely prevent any later connection with the self-signed certificate,
without clearing the HSTS history.

You may not need to even store the extra bit, it's enough to say if you have
HSTS then by default the connection must not just be encrypted, but it must be
trusted.

Do current browsers entirely prevent a connection to untrusted certs when HSTS
is set? Or is it just the same error you get when connecting to any self-
signed cert?

~~~
acebarry
> Do current browsers entirely prevent a connection to untrusted certs when
> HSTS is set? Yes. HSTS would not do much to prevent active MiTM. HSTS just
> tells the browser that it should only connect to the site over HTTPS. It
> does not mention which certificates are trusted.

It seems like you are hinting towards certificate pinning
([https://en.wikipedia.org/wiki/Transport_Layer_Security#Certi...](https://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning)).
Pinning would prevent rouge CA's from signing bad certificates, but pinning is
hard to do on the web. It is mainly used with mobile applications from what I
have seen.

Edit: Here is a list of pinned sites in Chrome, if you are curious.
([https://src.chromium.org/viewvc/chrome/trunk/src/net/http/tr...](https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json))

------
logotype
I've seen warnings about Google certs also, when not connected via VPN.

------
blinkingled
So Cert Pinning won't help in this case? Or may be not doing stuff like cert
pinning is one of many (may be even lawful) requisites of doing business in
China?

~~~
zymhan
You don't need certificate pinning to prevent this issue, you just need a
modern browser with up-to-date trusted certificates. Certificate pinning would
only help if the certificate the government is presenting matched the site's
URL.

~~~
blinkingled
> Certificate pinning would only help if the certificate the government is
> presenting matched the site's URL.

And what prevents the government from doing that? Certificate pinning will
address MITM no matter what - if the certificate the browser receives is not
the one it pinned, it will refuse to connect even if the cert was signed by
another trusted authority.

Although it's unclear from the article as to what really is happening - is it
that Apple trusts whatever Chinese CA is used to forge the certificate for
iCloud.com but others like Mozilla and Google don't? In any case I don't see
how pinning won't help here.

~~~
iancarroll
No, nobody trusts this certificate - it I'd identical to the one you generate
yourself with OpenSSL. Certificate pinning would be nice but its simply not
the issue or fix at hand here...

If China were to misuse the root I believe their academics dept has, it would
be instantly banned. There was a bugzilla bug about removing it @ Mozilla and
a LOT of people supported it, but it won't be removed unless there is abuse.

------
smaili
Slightly off topic but does anyone here have any personal VPN recommendations?
From personal experience is preferable.

~~~
tjohns
Assuming you just need it while traveling, running a VPN server at home is a
cheap and effective option. In particular, both DD-WRT and RouterOS have
OpenVPN support.

~~~
Viper007Bond
I run a native one off my Synology NAS. Works great. GUI and everything.

------
tn13
I am using Nokia 1100. No government can possibly extract any of my key
information like emails, photos as so on.

~~~
wy
Totally unrelated to the topic.

~~~
tn13
Thanks for the informative comment.

------
preek
TL;DR - China likes to spy on everyones data and can do so, because they own
their country. This incident is on iCloud, but is only in alignment with their
greater strategy and not Apples fault.

~~~
selmnoo
Of course, just as America likes to spy on everyone as well. But let's not
completely pardon Apple, they can always do _something more_ to strengthen
their systems to be more and more resilient to these attacks. It might well be
a cat and mouse game, but they should at least try and play rather than just
give up. They're sitting on hundreds of billions of dollars, they get hundreds
from many of us, the least they can do is look out for us a little more.

~~~
preek
I'm not saying security is not an important issue. Inherently it is.

The problem is that Apple is using the industry standard for encryption here
(SSL). China cracks that security by giving their folks a browser that allows
them to easily swap the certificate out and send all the data to them before
sending it to Apple. This is called a MITM (Man In The Middle Attack).

Personally, I'm a big fan of privacy - also I'm the CTO of a web-company, so
I'm concerned with security for webapps, too.

When users are ignore warnings of their browsers (what Firefox would do in
such an event) or even install a "trojan browser" by a mean government - well,
then there is little you can do as a company.

Just wanted to give a short TL;DR on the article to prevent an icloud
shitstorm on HN, because the article is really on how mean China is. Not
saying or implying at all that other governments are better.

Also not saying that Apple is perfect in terms of security. Btw, as developer
and sysadmin I'm using Debian stable - my Mac is for convenience and
productivity. Just saying that to disqualify myself as the regular fanboy(;

------
kathrinekennley
This attack will come as a surprise to Apple. In the past, the company has had
a bromance with the authorities and have blindly acquiesced when asked to
remove apps from the China app store.

