How China turned an award-winning iPhone hack against the Uyghurs


In March 2017, a group of hackers from China arrived in Vancouver with one goal: to find hidden vulnerabilities in the world’s most popular technologies.

Google’s Chrome browser, Microsoft’s Windows operating system, and Apple’s iPhones were all in the crosshairs. But nobody broke the law. These were just a few of the participants in Pwn2Own, one of the world’s most prestigious hacking competitions.

It was the 10th anniversary of Pwn2Own, a competition in which elite hackers from all over the world take part with huge cash prizes if they manage to exploit previously undiscovered software vulnerabilities, so-called “zero days”. As soon as an error is found, the details are passed on to the companies involved so that they have time to correct it. The hacker, meanwhile, walks away with a financial reward and perpetual boasting rights.

For years, Chinese hackers have been the dominant forces at events like Pwn2Own, earning millions in prizes and establishing themselves among the elite. But in 2017 it all stopped.

One of China’s elite hacked an iPhone…. Practically overnight, Chinese intelligence used it as a weapon against a beleaguered ethnic minority that struck before Apple could fix the problem. It was a bold act performed in broad daylight.

In an unexpected statement, the billionaire founder and CEO of Chinese cybersecurity giant Qihoo 360 – one of the top tech companies in China – publicly criticized Chinese citizens going overseas to take part in hacking competitions. In an interview with Chinese news site Sina, Zhou Hongyi said that performing well at such events is only an “imaginary” success. Zhou warned that once Chinese hackers identify vulnerabilities in overseas competitions, they “can no longer be used”. Instead, the hackers and their knowledge should “stay in China” so that they can see the real meaning and “strategic value” of the software vulnerabilities.

Beijing agreed. Soon the Chinese government banned cybersecurity researchers from participating in hacking competitions overseas. Just a few months later, a new competition appeared in China to replace the international competitions. The so-called Tianfu Cup offered prizes that totaled over a million dollars.

The opening event took place in November 2018. The grand prize of $ 200,000 went to Qihoo 360 researcher Qixun Zhao, who demonstrated a remarkable chain of exploits that allowed him to easily and reliably control even the newest and most up-to-date iPhones. From a starting point within the Safari web browser, he found a vulnerability in the core of the iPhone operating system, its kernel. The result? A remote attacker can take over any iPhone that has visited a website with Qixun’s malicious code. It’s the kind of hack that can potentially be sold in the open market for millions of dollars to allow criminals or governments to spy on large numbers of people. Qixun called it “chaos”.

Two months later, in January 2019, Apple released an update that fixed the bug. There was little fanfare – just a quick thank you to those who discovered it.

In August of this year, however, Google published an extraordinary analysis of a hacking campaign in which it was stated that “iPhones were being exploited en masse”. The researchers dissected five different chains of exploits that they had discovered “in the wild”. This included the exploit that earned Qixun the grand prize at Tianfu, which they said was also discovered by an unnamed “attacker”.

The Google researchers pointed to similarities between the attacks in the real world and the chaos. What their deep dive missed, however, was the identities of the victims and the attackers: Uighur Muslims and the Chinese government.

A campaign of oppression

For the past seven years, China has committed human rights abuses against the Uyghurs and other minorities in western Xinjiang Province. Well-documented aspects of the campaign include detention camps, systematic compulsory sterilization, organized torture and rape, forced labor, and unprecedented surveillance efforts. Beijing officials argue that China is cracking down on “terrorism and extremism,” but the United States has, among other things, labeled the actions genocide. The abuses add up to an unprecedented high-tech suppression campaign that dominates Uyghur life and is partly based on targeted hacking campaigns.

China’s hacking of Uyghurs is so aggressive that it is effectively global and extends well beyond national borders. It is aimed at journalists, dissidents and anyone who raises Beijing’s suspicions of insufficient loyalty.

Shortly after Google’s researchers noticed the attacks, media reports linked the dots: the campaign targeting the chaos exploit was the Uyghurs, and the hackers were linked to the Chinese government. Apple published a rare blog post that confirmed that the attack had occurred over two months: that is, the period that began immediately after Qixun won the Tianfu Cup and lasted until Apple released the update.


Steven Gregory