Massive iPhone Hack Targets Uyghurs

China is being blamed for a massive surveillance operation that targeted Uyghur Muslims. This story broke in waves, the first wave being about the iPhone.

Earlier this year, Google's Project Zero found a series of websites that have been using zero-day vulnerabilities to indiscriminately install malware on iPhones that would visit the site. (The vulnerabilities were patched in iOS 12.1.4, released on February 7.)

Earlier this year Google's Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day.

There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.

TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.

Four more news stories.

This upends pretty much everything we know about iPhone hacking. We believed that it was hard. We believed that effective zero-day exploits cost $2M or $3M, and were used sparingly by governments only against high-value targets. We believed that if an exploit was used too frequently, it would be quickly discovered and patched.

None of that is true here. This operation used fourteen zero-days exploits. It used them indiscriminately. And it remained undetected for two years. (I waited before posting this because I wanted to see if someone would rebut this story, or explain it somehow.)

Google's announcement left out of details, like the URLs of the sites delivering the malware. That omission meant that we had no idea who was behind the attack, although the speculation was that it was a nation-state.

Subsequent reporting added that malware against Android phones and the Windows operating system were also delivered by those websites. And then that the websites were targeted at Uyghurs. Which leads us all to blame China.

So now this is a story of a large, expensive, indiscriminate, Chinese-run surveillance operation against an ethnic minority in their country. And the politics will overshadow the tech. But the tech is still really impressive.

EDITED TO ADD: New data on the value of smartphone exploits:

According to the company, starting today, a zero-click (no user interaction) exploit chain for Android can get hackers and security researchers up to $2.5 million in rewards. A similar exploit chain impacting iOS is worth only $2 million.

EDITED TO ADD (9/6): Apple disputes some of the claims Google made about the extent of the vulnerabilities and the attack.

EDITED TO ADD (9/7): More on Apple's pushbacks.

Posted on September 3, 2019 at 6:09 AM • 42 Comments

Comments

Godfree RobertsSeptember 3, 2019 6:59 AM

"So now this is a story of a large, expensive, indiscriminate, Chinese-run surveillance operation"?

Nooo, its now a speculation about a large, expensive, indiscriminate, Chinese-run surveillance operation–like thousands of similar bs speculations about China.

IsmarSeptember 3, 2019 7:09 AM

This may sound a bit strange but I hope we get a similar discovery from Apple security research teams (that is if they have any) on a range of 0-day vulnerabilities in Android OS before any news of them being exploited in the wild 😀. Game is on Apple and we end users stand to benefit from it .

tdsSeptember 3, 2019 8:53 AM

@Ismar, Steve

+1

I think one could argue that Google is ground zero for Surveillance Capitalism.

Perhaps that may be why Google's posts on this topic are short on prevention issues. For example, why mitigation strategies that would impact collecting personal data, to support their advertising business model, are absent. In addition, IIRC and IMO, there has been a lot of negative news about Google in the press recently (Change the subject time?).

Regardless, I'm glad that this Project Zero information is out there.

Finally, might 'cookies off' have helped mitigate the 'watering hole' attacks?

VinnyGSeptember 3, 2019 10:13 AM

@ Steve re: Uyghur iPhone ownership - Good question, I wondered that myself when I first ran across the story in mainstream media. iPhones tend to be among the more expensive smart device alternatives; one wouldn't ordinarily expect a minority as repressed and marginalized as the Uyghurs are portrayed to opt for the "premium" solution. I'd expect something more along the lines of cheap Android throwaway devices. Of course there could be some additional factor of which I am unaware...

Gunter KönigsmannSeptember 3, 2019 11:04 AM

@tds: It would have. First since noscript only runs on Firefox and even if Firefox was equally vulnerable the wxploits weren't delivered to Firefox browsers. And secondly as far as I can see the exploits don't look like being feasible from HTML alone: spawning hundreds of process groups of 16 processes each and similar. But I don't know a noscript user who isn't ready to try to turn noscript off many scripts if this is required to make a website work.

Clive RobinsonSeptember 3, 2019 11:20 AM

@ Bruce,

And then that the websites were targeted at Uyghurs. Which leads us all to blame China.

Whilst the Chinese are known to have to put it politly a very robust attitude to Muslims, many others have an even worse attitude which involves a level of nastyness that could easily make people vomit. This includes many other Muslims, Hindus and various Government entities.

Thus personally I'd hold of making that soet of judgment untill we have not just more evidence but more reliable evidence.

But what this does reenforce is my attitude to consumer electronics privacy and security, it's basically rubbish and anyone who makes the assumption that FMCE even high priced FMCE is walking down a path that could lead to disapearing and a lot of pain.

All this proves realy is most designers have either not got a clue or a conscious decision has been made in their emoloying entity that "Privacy and Security" does not pay. We know this from Googles published rules for App developers and we know it's true for Microsoft.

Why people should think Apple are any better has always been a mystery to me...

WinterSeptember 3, 2019 11:32 AM

@Steve re: Uyghur iPhone ownership

iPhones are very popular in China. Also iPhones are seen as more "secure" than Android phones. The high prices for iPhone zero-days seems to support this. Therefore, activists tend to prefer iPhones over Android phones.

Re: NoScript:
Browsers on iOS are severely restricted. No elective script blocker seems to be "possible". Javascript is either on or off on an iPhone.

Petre Peter September 3, 2019 11:45 AM

Hello I am a Mac. Hello, I am a Pixel. It seems a lot like the Mac vs PC campaign only this time with Google. What's next? Google opens their own stores?

StereotypedSeptember 3, 2019 12:48 PM

Minority need not fit some stereotyped or prejudiced pigeon-hole. Some minorities are generally wealthier than than the average majority. Some are generally poorer. iPhones can be status symbols - show off your wealth

gordoSeptember 3, 2019 1:54 PM

Long article with lots of background, mostly not high tech, but here's a snip on high tech:

What’s Really Happening to Uighurs in Xinjiang?
China may have interned more than a million Uighurs in Xinjiang in an attempt to suppress their desire for greater autonomy.
By Rémi Castets, March 19, 2019

Xinjiang has also become a testing ground for high tech and big-data security. Smartphones can be checked at any time at police and other roadside checkpoints. A vast system of facial-recognition video surveillance has been upgraded. Most Uighurs have had to surrender their passports, destroying the hopes of those who want to emigrate.

https://www.thenation.com/article/china-xinjiang-uighur-oppression/

AnonSeptember 3, 2019 2:04 PM

One wonders whether the intended targets of these exploits might also have been those following information relevant to the Uyghur community in China - whether ethnic Uyghurs abroad, journalists, or international NGOs, for example. For whom an iPhone could have been a comparatively cheaper purchase. These external information consumers could be less well known / subject to control by Chinese authorities, but tossing a bit of barium in the watering hole (to mix metaphors) could serve to illuminate the map of interested parties in addition to any specific attack activities.

NikolaSeptember 3, 2019 3:15 PM

@Winter
The fact that the attack didn't work against iPhone XS also supports that iPhones are "more secure".

RealFakeNewsSeptember 3, 2019 7:45 PM

Isn't the mantra "don't trust the network" taken to a new level in China?

Ergo, I'd be surprised China would need a scatter-gun approach to surveillance when they control the networks the group of interest uses.

This seems more like a fishing trip; see who knows what, and where.

Is there any indication that this attack can spread beyond the initially attacked device, or does any form of reconissance beyond the immediately infected device?

Does it act as a sleeper, or remote C&C point?

It seems there are still too many questions, and quite frankly as laudable Google are with their Zero Day Project, I don't trust their conclusions.

ScottSeptember 4, 2019 3:31 AM

https://www.youtube.com/watch?v=OQ5LnY21Hgc

https://www.theguardian.com/world/2019/jul/02/chinese-border-guards-surveillance-app-tourists-phones

What I don't fully get from these earlier reports is that when in Xinjiang you must have the government installed spyware on your Android phone. OK. But what do they do with iPhones? I'm sure the app isn't downloadable from the App Store and it's not so straightforward to sideload apps on iPhone as it is on Android.

According to this list: https://www.apple.com/retail/storelist/ there isn't an Apple branded store in Xinjiang though there are many in China. I'm sure there are official or unofficial resellers, though.

DennisSeptember 4, 2019 4:34 AM

@RealFakeNews, "Ergo, I'd be surprised China would need a scatter-gun approach to surveillance when they control the networks the group of interest uses."

Google can't be trusted at this point due to the fact it's been turned into a propaganda outlet. I would agree that directing unsuspecting websurfers to a site is too much of a "scatter-gun" approach of surveillance. I seriously doubt they conduct this type of doings because there are other more effective and less expensive ways of conduct. This does not pass the sniff test at all.

tdsSeptember 4, 2019 6:59 AM

@Clive Robinson

"Why people should think Apple are any better has always been a mystery to me..."

IIRC, Schneier on Security ("'SoS'") has discussed how privacy is required for security. It may be that Google's 'collect all personal information' mentality may be antithetical to privacy and security.

OTOH, IIRC, @thegrugq is considering switching from iPhone to Android.

These links address some of the security changes in iOS 13, although AFAIK not the topic of this thread.

https://www.forbes.com/sites/kateoflahertyuk/2019/09/01/apple-ios-13-launch-confirmed-5-iphone-security-features-coming-this-month/#5430425e2f2c

https://techcrunch.com/2019/07/18/ios-13-security-privacy/

Clive RobinsonSeptember 4, 2019 7:51 AM

@ tds,

OTOH, IIRC, @thegrugq is considering switching from iPhone to Android.

That's his choice, but it's a little like askng,

    Which is better, to die under five tons of sand, or five tonnes of sand?

To all intents and puproses the end result is the same[1].

Which is the point Apple-v-Android makes a fractional difference and changes over time, but either way you are still going to end up the same way with an "End Run" or "Find Fix and Finish" attack.

As long as the "security end point" is on the same "consumer device" as the "communications end point" you are not secure and it's just a question of probability as to when you get to the end game.

The reason as far as "privacy" goes is that "consumer devices" such as Fast Moving Consumer Electronics (FMCE) are not designed in a way where there is sufficient segregation between the communications function and the Human Computer Interface (HCI) function. Therefor an attacker can use one of hundreds of attacks to "see" the HCI from the Communications channel, thus bypassing what ever crypto or security function the Application running on the FMCE Smart Consumer device does to make the security end point.

So if you want privacy the first step is to get the securiry end point off device so an attacker can not end run it from the communications channel.

However Privacy and Security are not the same thing. Privacy comes in levels with in the more general domain of security. Thus you have basic "Data Privacy" that can be achived by encryption. Then you have "Communications Privacy" that looks after making your communications of sufficiently Low Probabiliry of Intercept (LPI) that an attacker can be assumed under normal conditions not able to detect your communications as the energy you emit is effectively below the attckers receivers noise floor. Then there is "Traffic Privacy" which assumes that whilst the attacker can see communications energy above their RX noise floor they can not work out if Data is being sent or who from or who to.

Each privacy domain falls in a different and often technically unrelated knowledge domain. Thus requiring not just different knowledge but very different techniques that are very much dependent on the domain. Thus the use of radio "Broadcast" networks is very different to the use of wired "Routed" networks.

[1] The metric tonne is 1000kg, the Imperial ton is 1016kg, thus the extra 80kg over the 5000kg bring only 1.6% is not likely to change when you die.

tdsSeptember 4, 2019 9:32 AM

https://twitter.com/daokedao1234/status/1135197464380792832

"VPN stops working? Have you ever wondered why the Great Firewall can block VPNs seemingly whenever it chooses to do so, but not always? No? I thought so, here's a thread on why anyways. 1/16

At the most basic level the internet is a game of hot potato. You stick a message (called a packet) a with a destination on it and a series of routers will estimate which direction they think its in and throw it off that way as quickly as they can until it gets there. 2/16"

ptSeptember 4, 2019 3:19 PM

Bruce:
Off-topic ....

Heads-up for upcoming seminar -- Asymmetric Threat Symposium XII, Oct 7, George Mason U, Arlington campus.
www.asymmetricthreat.net

SpaceLifeFormSeptember 4, 2019 3:19 PM

@Clive, @tds

I'll just note that @thegrugq uses both iPhone and Android, but recommends Android. He uses iPhone for a *reason*.

(the *reason* is not what most would guess. Remember, he always says to 'wash hands after return from libc. He has *not* been researching this for years for no *reason*)

Here is good overview of how the iPhone was hackable via Drive-by/Water Hole attack, and the effort involved to get root.

It takes many steps in the chain of flaws to get there.

https://azeria-labs.com/heap-exploit-development-part-1/

Note: I do not believe Apple has fully fixed this. I think they have blocked a specific step in the chain. But not fully solved because they have not blocked all angles of attack.

Think bandaid. Not tourniquet.

AtALibrarySeptember 4, 2019 4:20 PM

How about the cellular modem?

Might WiFi only iPads, iPhones or Android devices have fared better?

Is the following still valid? Nicholas Weaver from 2015. I wonder what he thinks now.

https://www.lawfareblog.com/iphones-fbi-and-going-dark

"Properly configured, an iOS device is perhaps the most secure, general purpose communication device available. The iPod Touch [iPad? ; Apple Watch?] in particular is my preferred communication device for those who need to operate in an extremely hostile network such as China or France, and for most users, iOS is vastly more secure than Android.

Despite this, "best" does not mean "impregnable".

[...]

The IMEI on the back is enough information for the FBI to find the phone's carrier and, with a simple warrant, gain a trove of information. Smart phones continuously communicate on the cellphone network, and Apple's Siri in particular will still use cellular connectivity even when on a WiFi network."

AtALibrarySeptember 4, 2019 4:56 PM

Extra time on your hands or curious

For the Uyhgurs and the rest of us [1] might cookies be irrelevant. In other words, could somebody sniffing around identify ones' device by its' canvas, or whatever, fingerprint? As opposed to catching a fingerprint at an endpoint.

For device fingerprinting:

1)try https://panopticlick.eff.org using your cellular carrier with javascript turned on

2)try https://panopticlick.eff.org using your cellular carrier with javascript turned off

3)try https://panopticlick.eff.org using WiFi with javascript turned off

IIRC I couldn't get 2) to work

[1] Niemöller:

"First they came for the Communists
And I did not speak out
Because I was not a Communist

Then they came for the trade unionists
And I did not speak out
Because I was not a trade unionist

Then they came for the Jews
And I did not speak out
Because I was not a Jew

Then they came for me
And there was no one left
To speak out for me

[...]

Niemöller is quoted as having used many versions of the text during his career, but evidence identified by professor Harold Marcuse at the University of California Santa Barbara indicates that the Holocaust Memorial Museum version is inaccurate because Niemöller frequently used the word "communists" and not "socialists."[1] The substitution of "socialists" for "communists" is an effect of anti-communism, and most common in the version that has proliferated in the United States. According to Marcuse, "Niemöller's original argument was premised on naming groups he and his audience would instinctively not care about. The omission of Communists in Washington, and of Jews in Germany, distorts that meaning and should be corrected."[1]"

https://en.wikipedia.org/wiki/First_they_came_...

After listening to David Bowie, I thought of some of the stories or photos from the Hong Kong protests

https://www.youtube.com/watch?v=VrERLeFseDA
David Bowie - China Girl

Ross SniderSeptember 4, 2019 4:57 PM

Right now the full force of evidence behind the accusation that this was a "large, expensive, indiscriminate, Chinese-run surveillance operation against an ethnic minority in their country" comes down to this single sentence from techcrunch.com:

"Sources familiar with the matter said the websites were part of a state-backed attack"

Kind of a rumor mill at this point.

Agree with Schneier that the technical angle of this story is fascinating.

JonSeptember 5, 2019 1:37 AM

Two quick notes:

@ several folks: On "How many Uyghurs have iPhones" it seems to me that the average peasant, who has a stone hut and a fistful of sheep, isn't very interesting as a target. The interesting ones are those who are (at least somewhat) wealthy, powerful, and connected - their conversations are going to be much more interesting. And they will have phones, 'i' or not.

@ Ross Snider: It's the financial reasons. How many private hackers would throw away fourteen 0-days at USD$2,000,000 each to look at (successful (by Chinese standards, anyhow)) rural farmers? There is no motivation here but government surveillance, and since only the Chinese really care about suppressing Uyghurs - who else would do this? and why?

Have fun, Jon

Clive RobinsonSeptember 5, 2019 3:17 AM

@ Ross Snider,

Kind of a rumor mill at this point.

Yup, and it's probably going to get worse before it gets better[1].

As I usually do, I say "no knee-jerk" / "gut" reaction" finger pointing, instead build an evidence based case.

That is there should be a list of entities under suspicion as there would be with any investigation. With each entity to be carefully looked into further for actual evidence (preferably HumInt rather than SigInt based).

Thus as with any criminal investigation you first build your list based on past experience. Then you try to find evidence to eliminate entities off of the list, thus shorten it to manageable numbers. Then you start looking for evidence further support or reduce your suspicions to start getting confirmation of the actual not likely culprit.

What people should not do is "jump to conclusions" especially when it's convenient and popular to do so[1].

Whilst China as the host nation with issues between the Chinese Government and the Uyghurs should be on that list, so should several others including other sects of the Muslim Faith.

Xinjiang province where this is going on, is to the far north west of China. As a region it has an extreamly checkered history. In part due to the wealth of the Silk Road, but other political considerations both before and after that. It is mainly desert and mountain territory populated by people who are not ethnically Chinese being a mix of Mongolian and Persian descent. As such with Tibet and other invaded nations the Chinese policy has been one of subjugation as "buffer zones" to be politically reorientated. Around 11-12million or ~80% of the people in the region are Uyghurs who are Sunni Muslim descendants who mainly live and farm around desert oasis.

As Sunni Muslims they are seen as targets by others including certain Shia Muslim contingents. The current direct power projection behaviour of Saudi Sunni Muslims against adjacent Shia Musslim populations and nations is creating tensions all over the world. The reason for this is that Saudi and Iran see themselves as the equivalent of the super powers of the Muslim World and they are actively involved in a cold war style confict. In particular they are fighting proxy wars[2] across the middle east, in Africa and importantly eastwards up to what China sees as it's buffer nation borders (if not within their buffer nations).

As a policy the US Government see Saudi and other Sunni Muslim nations as friends and a number of Shia Muslim nations as enemies. Likewise China and Russia currently see things the other way regarding Iran and Shia Muslims as friends. All of which adds further fuel to the Sunni-Shia conflicts around the world.

Then there is India with it's Hindu population and it's political leaders flexing their muscles and actively engaging in anti Muslim behaviours in Kashmir that it sees as a buffer region between it and Pakistan. Whilst also involved in coldwar like behaviours with China and the desputed areas around Tibet etc.

Then there are the many US and more covert small Europian (including Israel) companies actively siding with these various nations to supply them with technology to spy on people.

Thus there are quite a number of "suspects" on the list, not just China.

[1] This is what happened with Amazon CEO Jeff Bezos who also owns The Washington Post over his alleged infidelity. Just about everybody in the US MSM and other places were pointing the finger at the US Gov and a friend of the current US President. However Jeff Bezos did not think that way, so he got in those experienced in doing investigations and the result was not what the US MSM had been saying. The finger on balance of evidence ended up pointing at the House of Saud and their current leader. The underlying reason was the killing by Saudi Arabian security personnel in Turkey of journalist Jamal Khashoggi who worked for the Washington Post. The Post were actively trying to bring as much evidence over the killing to the attention of the US public as they could. The House of Saud thus tried to "send a message" to Jeff Bezos to "warn him off" with such things as calling him a Jew and attacks on Amazon. This did not work and the Washington Post carried on digging into the House of Saud and publishing information that made the House of Saud look very bad. Thus the Saudi's decided to "kill the messenger's" reputation in the US as a way to limit the damage.

[2] https://en.m.wikipedia.org/wiki/Iran–Saudi_Arabia_proxy_conflict

ScottSeptember 5, 2019 4:04 AM

@Clive Robinson, this is interesting: https://www.schneier.com/blog/archives/2019/09/massive_iphone_.html#c6798206

Where to read more about this mindset/setup at an "explain me like I'm five" level with examples? Do I have to be a nation state or a large corporation to use this kind of setup?

@Bruce used to suggest to dissidents in oppressive regimes to use Chromebooks. Then sure Google spies on you but not your oppressive government. I'm not sure Chrome OS can connect to Google's update servers from Xinjiang, though. These are the limits of this advice.

meSeptember 5, 2019 5:09 AM

to all security researchers who sell exploits:
they give you money not because you are so damn 1337 but to ignore your moral compass, without all that money you would see that having them fixed is the best solution.

Schneier pointed out many times phone security is national security;
while CitizenLab pointed out that the exploits are abused by mexico to spy on who report corruption and they are not alone, china and many others are doing the same.

lurkerSeptember 5, 2019 9:12 PM

Isn't this just further progression along the line where about 5(?) years ago Tibetan activists were targeted with MacOS-Pages exploits. The question at the time was how many Tibetans use a Mac? Turned out quite a few in the target audience because MacOS was perceived as more secure...

Clive RobinsonSeptember 6, 2019 5:04 AM

@ lurker,

Isn't this just further progression along the line where about 5(?) years ago Tibetan activists were targeted

It's a sensible hypothesis, the problem is getting evidence sufficient to be proof.

With regards,

targeted with MacOS-Pages exploits. The question at the time was how many Tibetans use a Mac?

Look at it from the point of view of those who think they may be targeted. Their logic is something like,

China manufactures Apple products and many different companies Android phones. Thus it's not easy to get a phone that China has not touched potentially detrimentaly somewhere along the production supply chain.

Thus you have to look at the who checks the "end of supply chain quality". Apple is a US company and have been seen to care for their reputation fairly vigorously and thus check in various ways that their supply chain is unlikely to be tampered with.

The Android phone suppliers are in many cases "no-name no-reputation" often Chinese backed companies that come and go and are known to install all sorts of garbage on the phones, worse Google has had quite a few "apps" found to be infested with the equivalent of spy-war / telemetry etc that the developer uses to make extra income.

Thus from that information limited view point Apple appears to be safer than Android.

The fact that actually both OS's are actively searched for "big bucks" vulnerabilities and they are found on both OS's fairly often suggests to me atleast that neither OS is safe. Worse we also know that the hardware such as "security enclaves" have at best "feet of clay" means that the security foundations the OSs leverage are built on at best shifting sands.

But the important point I keep making of "the security end point being sufficiently beyond the communications end point" simple as it is, is not something people appear to understand or want to know about.

The reason it's important is that nearly all FMCE devices including all consumer level phones and computers, have insufficient segregation to prevent someone who has access to the communications channel getting access to the plaintext user interface. Thus simply getting around an security built into the applications and OS's. Obviously those with access to the communications channel are the service providers, the governments the service providers are in and anyone who can get into the backbone networks etc... Basically all the people who want you to have compleate transparency to them...

Privacy almost never comes for free we have to work at creating our private places and continue working to keep them private. Why people think they can get privacy for next to no effort has been a cause of surprise to me for many decades now.

People should realise that they can not buy privacy no matter who they are, they have to work at obtaining and maintaining it. Which requires a certain mind set, which can be taught but few wish to learn even when their very lives depend on it.

tdsSeptember 6, 2019 7:41 AM

@Gunter Königsmann

"First since noscript only runs on Firefox and even if Firefox was equally vulnerable the wxploits weren't delivered to Firefox browsers."

Perhaps running Firefox, and a OS, as a VM guest in VirtualBox could help. Or run from read only media like a CD or DVD.

"And secondly as far as I can see the exploits don't look like being feasible from HTML alone: spawning hundreds of process groups of 16 processes each and similar."

I'll take this to mean 'javascript off' might have helped to mitigate these attacks.

"But I don't know a noscript user who isn't ready to try to turn noscript off many scripts if this is required to make a website work."

that's true for me

NoScript is also a hassle for supporting other users (time consuming)

A DDG search of 'how to use noscript' yielded many results

tdsSeptember 6, 2019 8:47 AM

@Winter

"Re: NoScript:
Browsers on iOS are severely restricted. No elective script blocker seems to be "possible". Javascript is either on or off on an iPhone."

My fiddling supports your claim.

Of course, Brave or Firefox Focus, for example, could be run with 'javascript on' and with Safari run 'javascript off' on iOS devices.

SpaceLifeFormSeptember 6, 2019 3:47 PM

@tds

(In re old note: Yes NodeJS can be run in browser. Not trivial)

As, to current issues:

I'm thinking Musl Clang toolchain.

That is not to imply that I endorse *ANY* c++ code compiled with either gcc or Clang.

Note: gcc and Clang are now both written in c++, so even if I can trust Musl, that does not mean my toolchain cannot be attacked.

And any application code that relys upon threads.

I think that one can be attacked via the application, if it uses:

c++
threads


The attacker hits the heap. (always has been a problem)

They create a race condition via the threads implementation.


Recommendation: Build your toolchain, from source, offline.

Even that does not prove anything.

So, then, before building your own OS with toolchain, and building again in a chroot, and another chroot, please review the millions of lines of code.

Ross SniderSeptember 9, 2019 10:38 AM

It looks like the Apple narrative is suggesting that China's use of the 0days were to target individuals associated with or suspected to be associated with ISIS and other "extremist groups" in high Uighur-populated areas. Namely, this wasn't a mass hacking effort but a constrained and targeted domestic intelligence effort.

If that is the case, while I am steadfastly against domestic surveillance and intelligence efforts (the ones in the West have been devastating to democracy) and will boo China for the employment of these techniques, I will side with Apple over Google in the narrative characterization of this: saying "they could have put it in an iframe and targetted Huffpo readers" is fluff, as that's not something the Chinese government has a mission to do. It's naive, and is focused merely on the existence of 0day vulnerabilities (which there will always be).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.