Updated Oct. 23 at 1:30pm in Hong Kong.
Chinese authorities just launched “a malicious attack on Apple” that could capture user names and passwords of anyone who logs into the iCloud from anywhere in the country, the well-respected censorship watchdog GreatFire.org reports. With that information, a hacker can view users contacts, photos, messages and personal information stored in the cloud.
China has an estimated 100 million iPhone users in China, and all of them could be vulnerable, GreatFire reports, thanks to a “man in the middle” attack that tricks users into believing they are logging into a secure connection, when they are actually logging into a Chinese government-controlled site instead. “The attack point is the Chinese internet backbone, and that it is nationwide, which would lead us to be 100 percent sure that this is again the work of the Chinese authorities,” one of the GreatFire founders told the South China Morning Post.
The scale of the potential data breach is immense—and the timing is interesting for two reasons.
First, Chinese authorities have been strictly controlling information about Hong Kong’s Umbrella Movement on the mainland, by reporting about the protests without actually showing any protesters, and deleting messages and posts on the demonstrations on internet searches and the messaging services Weibo and WeChat. They’ve also been detaining mainland Chinese citizens believed to be sympathetic to the protesters. Keeping an eye on Apple users’ data could certainly help with both efforts.
Secondly, sales of the iPhone 6 just began Oct. 17 after several weeks delay in China, reportedly because of “resistance” from the Ministry of Industry and Information Technology after Apple added new security features. This summer, China said the “frequent locations” feature on Apple’s new operating system could reveal “state secrets.”
Beijing’s recent criticism of Apple comes after the company has worked for years to improve relations in Beijing, going so far as to self-censor apps there. Last year, for example, the company quietly deleted OpenDoor, an app that allowed users to evade China’s firewall. In August, Apple agreed to move its China iCloud storage to mainland China, reportedly to “ease tension” between the company and the government. Those decisions are now looking somewhat unwise, as GreatFire points out:
Working with the authorities to help them prevent free access to news and information is not a guaranteed path to riches in China. If anything, cooperation with the Chinese authorities can now increasingly be labeled as the worst decision a foreign company can make. Not only will the authorities bite you in the ass, but your willingness to work with the censorship regime will lose you customers and fans worldwide.
Update: Several hours after the GreatFire report, Apple posted an “update on iCloud.com security” to its own support center. “We’re aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously,” the company said, adding that the attacks “don’t compromise iCloud’s servers,” or affect devices running the Safari browser. The update, however, did not mention China specifically.