Connect with us

Tech

How China turned a prize-winning iPhone hack against the Uyghurs

Published

on

How China turned a prize-winning iPhone hack against the Uyghurs


In March 2017, a group of hackers from China arrived in Vancouver with one goal: Find hidden weak spots inside the world’s most popular technologies. 

Google’s Chrome browser, Microsoft’s Windows operating system, and Apple’s iPhones were all in the crosshairs. But no one was breaking the law. These were just some of the people taking part in Pwn2Own, one of the world’s most prestigious hacking competitions.

It was the 10th anniversary for Pwn2Own, a contest that draws elite hackers from around the globe with the lure of big cash prizes if they manage to exploit previously undiscovered software vulnerabilities, known as “zero-days.” Once a flaw is found, the details are handed over to the companies involved, giving them time to fix it. The hacker, meanwhile, walks away with a financial reward and eternal bragging rights.

For years, Chinese hackers were the most dominant forces at events like Pwn2Own, earning millions of dollars in prizes and establishing themselves among the elite. But in 2017, that all stopped. 

One of China’s elite hacked an iPhone…. Virtually overnight, Chinese intelligence used it as a weapon against a besieged minority ethnic group, striking before Apple could fix the problem. It was a brazen act performed in broad daylight.

In an unexpected statement, the billionaire founder and CEO of the Chinese cybersecurity giant Qihoo 360—one of the most important technology firms in China—publicly criticized Chinese citizens who went overseas to take part in hacking competitions. In an interview with the Chinese news site Sina, Zhou Hongyi said that performing well in such events represented merely an “imaginary” success. Zhou warned that once Chinese hackers show off vulnerabilities at overseas competitions, they can “no longer be used.” Instead, he argued, the hackers and their knowledge should “stay in China” so that they could recognize the true importance and “strategic value” of the software vulnerabilities. 

Beijing agreed. Soon, the Chinese government banned cybersecurity researchers from attending overseas hacking competitions. Just months later, a new competition popped up inside China to take the place of the international contests. The Tianfu Cup, as it was called, offered prizes that added up to over a million dollars. 

The inaugural event was held in November 2018. The $200,000 top prize went to Qihoo 360 researcher Qixun Zhao, who showed off a remarkable chain of exploits that allowed him to easily and reliably take control of even the newest and most up-to-date iPhones. From a starting point within the Safari web browser, he found a weakness in the core of the iPhones operating system, its kernel. The result? A remote attacker could take over any iPhone that visited a web page containing Qixun’s malicious code. It’s the kind of hack that can potentially be sold for millions of dollars on the open market to give criminals or governments the ability to spy on large numbers of people. Qixun named it “Chaos.”

Two months later, in January 2019, Apple issued an update that fixed the flaw. There was little fanfare—just a quick note of thanks to those who discovered it.

But in August of that year, Google published an extraordinary analysis into a hacking campaign it said was “exploiting iPhones en masse.” Researchers dissected five distinct exploit chains they’d spotted “in the wild.” These included the exploit that won Qixun the top prize at Tianfu, which they said had also been discovered by an unnamed “attacker.” 

The Google researchers pointed out similarities between the attacks they caught being used in the real world and Chaos. What their deep dive omitted, however, were the identities of the victims and the attackers: Uyghur Muslims and the Chinese government.

A campaign of oppression

For the past seven years, China has committed human rights abuses against the Uyghur people and other minority groups in the Western province of Xinjiang. Well-documented aspects of the campaign include detention camps, systematic compulsory sterilization, organized torture and rape, forced labor, and an unparalleled surveillance effort. Officials in Beijing argue that China is acting to fight “terrorism and extremism,” but the United States, among other countries, has called the actions genocide. The abuses add up to an unprecedented high-tech campaign of oppression that dominates Uyghur lives, relying in part on targeted hacking campaigns.

China’s hacking of Uyghurs is so aggressive that it is effectively global, extending far beyond the country’s own borders. It targets journalists, dissidents, and anyone who raises Beijing’s suspicions of insufficient loyalty. 

Shortly after Google’s researchers noted the attacks, media reports connected the dots: the targets of the campaign that used the Chaos exploit were the Uyghur people, and the hackers were linked to the Chinese government. Apple published a rare blog post that confirmed the attack had taken place over two months: that is, the period beginning immediately after Qixun won the Tianfu Cup and stretching until Apple issued the fix.  

Tech

Donald ’67, SM ’69, and Glenda Mattes

Published

on

Donald ’67, SM ’69, and Glenda Mattes


Don Mattes started giving to the Picower Institute for Learning and Memory at MIT before he himself was diagnosed with Alzheimer’s disease. Since his death in 2020, his wife, Glenda, has carried forward Don’s passion for its work. “My wish is that no one ever has to go through the horrors of Alzheimer’s disease ever again,” Glenda says. The Matteses have also supported the Koch Institute for Integrative Cancer Research at MIT.

Legacy sparks hope. An early key employee of Andover Controls who later ran the company’s European operations, Don visited six continents with Glenda during their 30-year marriage—often to ski or bicycle. “Don’s was a life well lived, just too short,” Glenda says. The couple made provisions in their estate plan to support the Picower Institute. After Don died, Glenda made a gift to MIT of real estate that established both endowed and current-use funds there to support research on Alzheimer’s, dementia, and other neurodegenerative diseases. Glenda is a cancer survivor, and the gift also endowed a fund in the couple’s name at the Koch Institute.

Great discoveries being made at MIT: “Don always said the best thing he got from MIT was being taught how to think,” Glenda says. “MIT is an amazing place. Picower Institute director Li-Huei Tsai and her team are doing more than looking for a treatment for Alzheimer’s. They’re looking for the root cause of the disease. I am also fascinated with the Koch’s melding of engineering and biology. The chances they are going to solve the cancer issue someday are very high.” 

Help MIT build a better world.
For more information, contact Amy Goldman: (617) 253-4082;  goldmana@mit.edu. Or visit giving.mit.edu/planned-giving.

Continue Reading

Tech

Investing in women pays off

Published

on

Investing in women pays off


“Starting a business is a privilege,” says Burton O’Toole, who worked at various startups before launching and later selling AdMass, her own marketing technology company. The company gave her access to the HearstLab program in 2016, but she soon discovered that she preferred the investment aspect and became a vice president at HearstLab a year later. “To empower some of the smartest women to do what they love is great,” she says. But in addition to rooting for women, Burton O’Toole loves the work because it’s a great market opportunity. 

“Research shows female-led teams see two and a half times higher returns compared to male-led teams,” she says, adding that women and people of color tend to build more diverse teams and therefore benefit from varied viewpoints and perspectives. She also explains that companies with women on their founding teams are likely to get acquired or go public sooner. “Despite results like this, just 2.3% of venture capital funding goes to teams founded by women. It’s still amazing to me that more investors aren’t taking this data more seriously,” she says. 

Burton O’Toole—who earned a BS from Duke in 2007 before getting an MS and PhD from MIT, all in mechanical engineering—has been a “data nerd” since she can remember. In high school she wanted to become an actuary. “Ten years ago, I never could have imagined this work; I like the idea of doing something in 10 more years I couldn’t imagine now,” she says. 

When starting a business, Burton O’Toole says, “women tend to want all their ducks in a row before they act. They say, ‘I’ll do it when I get this promotion, have enough money, finish this project.’ But there’s only one good way. Make the jump.”

Continue Reading

Tech

Preparing for disasters, before it’s too late

Published

on

Preparing for disasters, before it’s too late


All too often, the work of developing global disaster and climate resiliency happens when disaster—such as a hurricane, earthquake, or tsunami—has already ravaged entire cities and torn communities apart. But Elizabeth Petheo, MBA ’14, says that recently her work has been focused on preparedness. 

It’s hard to get attention for preparedness efforts, explains Petheo, a principal at Miyamoto International, an engineering and disaster risk reduction consulting firm. “You can always get a lot of attention when there’s a disaster event, but at that point it’s too late,” she adds. 

Petheo leads the firm’s projects and partnerships in the Asia-Pacific region and advises globally on international development and humanitarian assistance. She also works on preparedness in the Asia-Pacific region with the United States Agency for International Development. 

“We’re doing programming on the engagement of the private sector in disaster risk management in Indonesia, which is a very disaster-prone country,” she says. “Smaller and medium-sized businesses are important contributors to job creation and economic development. When they go down, the impact on lives, livelihoods, and the community’s ability to respond and recover effectively is extreme. We work to strengthen their own understanding of their risk and that of their surrounding community, lead them through an action-planning process to build resilience, and link that with larger policy initiatives at the national level.”

Petheo came to MIT with international leadership experience, having managed high-profile global development and risk mitigation initiatives at the World Bank in Washington, DC, as well as with US government agencies and international organizations leading major global humanitarian responses and teams in Sri Lanka and Haiti. But she says her time at Sloan helped her become prepared for this next phase in her career. “Sloan was the experience that put all the pieces together,” she says.

Petheo has maintained strong connections with MIT. In 2018, she received the Margaret L.A. MacVicar ’65, ScD ’67, Award in recognition of her role starting and leading the MIT Sloan Club in Washington, DC, and her work as an inaugural member of the Graduate Alumni Council (GAC). She is also a member of the Friends of the MIT Priscilla King Gray Public Service Center.

“I believe deeply in the power and impact of the Institute’s work and people,” she says. “The moment I graduated, my thought process was, ‘How can I give back, and how can I continue to strengthen the experience of those who will come after me?’”

Continue Reading

Copyright © 2021 Seminole Press.