A Chinese Hacking Competition May Have Given Beijing New Ways to Spy on the Uyghurs

 

In 2019, Apple aimed to reassure its customers when it revealed in a blog post that it had fixed a security flaw in its iOS operating system. According to Apple, the exploited vulnerability was "narrowly focused" on websites with data relevant to the Uyghur community. 

It has since been revealed that the flaw in question was found at China's leading hacking competition, the Tianfu Cup, where a skilled hacker was rewarded for his efforts. The standard procedure would be to notify Apple of the flaw. However, it is said that the violation was kept hidden, with the Chinese government obtaining it to spy on the country's Muslim minority. 

Hacking competitions are a well-established method for technology companies like Apple to identify and address security flaws in their software. However, with state-sponsored hacking on the rise, the possibility that the Tianfu Cup is providing Beijing with new surveillance tools is worrying, particularly given how Chinese competitors have long dominated international hacking competitions. 

When software is compromised, it's usually because an attacker discovered and exploited a cybersecurity flaw that the software provider was unaware of. Finding these flaws before they're discovered by cybercriminals or state-sponsored hackers will save tech firms a lot of money. Until 2017, Chinese hackers took home a large percentage of the Pwn2Own awards. However, after a Chinese billionaire argued that Chinese hackers should "stay in China" because their work is strategic, Beijing replied by prohibiting Chinese people from participating in international hacking competitions.

In 2018, the Tianfu Cup was founded in China. A hacker participating in the Tianfu Cup in its first year created a prize-winning hack called "Chaos." The hack could be used to gain remote access to even the most recent iPhones, making it an easy target for surveillance. After being used in a targeted way against Uyghur iPhone users, Google and Apple both discovered the hack “in the wild” two months later. 

Despite the fact that Apple was able to mitigate the hack within two months, this case demonstrates the dangers of exclusive national hacking competitions, particularly when they take place in countries where people are required to comply with government demands. 

Hacking contests are intended to reveal "zero-day" vulnerabilities, which are security flaws that software vendors haven't discovered or predicted. The tactics used by prize-winning hackers are meant to be shared with vendors so that they can find ways to fix them up. However, keeping zero-day vulnerabilities secret or passing them on to government agencies raises the likelihood of them being used in state-sponsored zero-day attacks. 

In early 2021, Four zero-day vulnerabilities in Microsoft Exchange were used to launch massive attacks against tens of thousands of organizations. Hanium, a Chinese government-backed hacking group, has been linked to the attack. Evidence indicates that cybercriminal gangs are operating closely, and even interchangeably, with state-sponsored hacking groups in Russia and China. 

The Tianfu Cup appears to have given China access to a new talent pool of expert hackers, who are inspired by the competition's prize money to develop potentially dangerous hacks that Beijing would be able to use both at home and abroad.