China Accused Of Attacking Apple iCloud - InformationWeek
IoT
IoT
Mobile // Mobile Devices
News
10/20/2014
02:48 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

China Accused Of Attacking Apple iCloud

Media freedom group GreatFire.org claims Apple's iCloud is being subject to a man-in-the-middle attack by China's censorship apparatus.

Apple iPad Air 2: Visual Tour
Apple iPad Air 2: Visual Tour
(Click image for larger view and slideshow.)

Apple's iCloud service is being subjected to a man-in-the-middle attack by authorities in China, according GreatFire.org, a website that monitors censorship in China.

Based on technical information posted on GreatFire.org, it appears that China's security apparatus is employing a fake Apple certificate to intercept iCloud data traffic.

"This is clearly a malicious attack on Apple in an effort to gain access to usernames and passwords and consequently all data stored on iCloud such as iMessages, photos, contacts, etc," GreatFire.org wrote Monday on its website. "Unlike the recent attack on Google, this attack is nationwide and coincides with the launch today in China of the newest iPhone."

In order for a web browser to know whether a website is what it claims to be, it relies on a certificate issued by a certificate authority, a third-party organization that vouches for the website through a cryptographic signature. Fake certificates, however, can be obtained, illicitly or by lawful process.

[Want to try out Apple's new mobile payments service? See Apple Pay: Where To Use It.]

The alleged attack appears to be affecting access to Apple's website in the US, at least in the Google Chrome browser. Attempting to visit Apple.com on Monday morning Pacific Time using Chrome presented a security warning, "Your connection is not private," and an error string referring to an invalid certificate authority.

Google did not immediately respond to a request to explain the warning for visiting Apple's website in the US using Chrome. Github, Google, Microsoft, and Yahoo have also been subjected to similar attacks in China.

According to GreatFire.org, both Chrome and Mozilla Firefox will try to prevent users from accessing websites with forged certificates. However, Firefox did not suggest anything was amiss when accessing Apple's website in the US.

Apple did not immediately respond to a request for comment.

The alleged attack comes following Apple's claims last month that it has never created a backdoor in its products to provide government authorities with access. Apple also said it cannot decrypt data on iOS 8 devices, regardless of government demands.

In the US, Apple's claims about the security of data on iOS devices have prompted FBI Director James Comey to call for an update to the 1994 Communications Assistance for Law Enforcement Act (CALEA) to ensure authorities can access encrypted data on devices. The security industry calls this a backdoor; Comey insisted, "We are not seeking a backdoor approach."

In China, Apple's security claims appear to have elicited a different response. GreatFire.org speculates that the man-in-the-middle attack may reflect the security in the new iPhone, which just became available in China. By gathering Apple IDs and passwords, Chinese authorities would have an easier time unlocking encrypted data on iOS devices.

"When details of the new iPhone were announced, we felt that perhaps that the Chinese authorities would not allow the phone to be sold on the mainland," GreatFire.org says.

The website noted that while it's not clear whether Apple altered the iPhone in mainland China to accommodate authorities, the man-in-the-middle attack suggests tension with Chinese authorities.

Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data. In the Partners' Role In Perimeter Security report, we'll discuss concrete strategies such as setting standards that third-party providers must meet to keep your business, conducting in-depth risk assessments -- and ensuring that your network has controls in place to protect data in case these defenses fail. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
10/21/2014 | 8:18:50 PM
Re: China Accused Of Attacking Apple iCloud
Yes, but it is Apple-focused, which I find interesting.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
10/21/2014 | 5:41:39 PM
Re: China Accused Of Attacking Apple iCloud
Except this isn't a device-centric attack. It's an attack on online trust infrastructure. If you were using iCloud on Windows, you'd be vulnerable too.
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
10/21/2014 | 11:37:53 AM
Re: China Accused Of Attacking Apple iCloud
Anytime that people are flocking out to buy basically the same device as everyone else, it's going to draw the attention of hackers. I don't see this changing anytime soon for Apple.
micjustin33
50%
50%
micjustin33,
User Rank: Strategist
10/21/2014 | 10:57:11 AM
China Accused Of Attacking Apple iCloud
This has been one of the worst hack attacks Apple has recently been associated with. The hackers breached into iCloud's servers and got access to private photos of some celebrities. Upon accessing them, they circulated the pictures on the social media. This issue raised serious concerns about the security of iCloud.

Here is the complete iOS security guide which can help you to secure your device from further threats.
Commentary
Why Your Company's AI Strategy May Not Be Its Own
Lisa Morgan, Freelance Writer,  3/18/2019
Commentary
Q&A: Deloitte's Lisa Noon on Inclusivity and Cloud Evolution
Joao-Pierre S. Ruth, Senior Writer,  3/15/2019
Commentary
Empowering Women in the Workplace 365 Days a Year
Guest Commentary, Guest Commentary,  3/19/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Security and Privacy vs. Innovation: The Great Balancing Act
This InformationWeek IT Trend Report will help you better understand and address the growing challenge of balancing the need for innovation with the real-world threats and regulations.
Slideshows
Flash Poll