Chinese Government Targets iCloud Users with MITM Attack

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

According to the Internet censorship watchdog GreatFire.org, the Chinese government is currently staging a man-in-the-middle (MITM) attack on Apple's iCloud, in which all Chinese visitors to iCloud.com are redirected to a fake login page designed to trick them into disclosing their login credentials.

The attack, which appears to have been timed to coincide with yesterday's launch of the iPhone 6 in China, appears to be designed to provide Chinese authorities with access to all data stored on iCloud, including iMessages, photos and contacts. "If users ignored the security warning and clicked through to the Apple site and entered their username and password, this information has now been compromised by the Chinese authorities," GreatFire.org reports.

GreatFire.org is recommending that Internet users in China enable two-step verification for their iCloud accounts, and use trusted browsers such as Firefox or Chrome, both of which are capable of detecting and blocking MITM attacks. "Qihoo's popular Chinese 360 secure browser is anything but and will load the MITMed page directly," the organization notes.

The researchers say the attacks may well be related to the iPhone 6's new security features. "Ironically, Apple increased the encryption aspects on the phone allegedly to prevent snooping from the NSA," GreatFire.org notes. "However, this increased encryption would also prevent the Chinese authorities from snooping on Apple user data."

As a result, GreatFire.org suggests that the attack indicates there's at least some conflict between Apple and the Chinese government regarding some of the features of the iPhone 6. "This may also somehow be related again to images and videos of the Hong Kong protests being shared on the mainland," the researchers note.

GreatFire.org co-founder Charlie Smith told the South China Morning Post that there's no doubt of the Chinese government's involvement in the attack. "We know that the attack point is the Chinese Internet backbone and that it is nationwide, which would lead us to be 100 percent sure that this is again the work of the Chinese authorities," he said. "Only Chinese [Internet service providers] and the government have access to the backbone."

Smith added that more such attacks are likely as more services move to encrypted connections. "We expect that there will be more [MITM] attacks in the near future and that they will increase in severity," he said.

If the Chinese government is in fact involved, this wouldn't be the first such attack launched against protesters in Hong Kong. Earlier this month, Lacoon Mobile Security researchers came across a mobile remote access Trojan (mRAT) targeting Hong Kong protestors, with versions designed to infect both Android and iOS devices. "The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it's [the] first iOS Trojan linked to Chinese government cyber activity," Lacoon CTO Ohad Bobrov stated at the time.