How China Used Award-Winning iPhone Hack to Spy on Uyghur Muslims Detailed in Report

The Chinese government used an award-winning iPhone hack first discovered three years ago at a Beijing hacking competition in order to spy on the phones of Uyghur Muslims, according to a new report.

The report, published Thursday by MIT Technology Review, detailed how the government was able to successfully tap into the phones of Uyghur Muslims in 2018 using a sophisticated technique.

The U.S. government and several large technology companies have known for years that China has been targeting the ethnic minority through an aggressive campaign that attacks social media, phones and other technologies. The campaign has also targeted journalists and impersonated Uyghur news media.

In the country's Xinjiang region, China has placed more than 1 million Uyghurs and other Muslim minorities into detainment camps, where they force people to work against their will. The Chinese have been accused of committing systemic abuse and rape. In January, the U.S. government declared that China's actions against the Uyghurs are genocide.

In Thursday's report, MIT Technology Review detailed how China was able to successfully spy on Uyghur iPhones using a hacking vulnerability that was discovered during the Beijing competition.

The hacking competition, known as the Tianfu Cup, was kick-started in China in November 2018 as a way for Chinese hackers to find flaws in popular tech software. The competition was modeled after an international event known as Pwn2Own, which invites hackers from around the world to demonstrate tech vulnerabilities so companies can find and fix flaws in their products, according to the report.

But China's Tianfu Cup was created as a means for Chinese hackers to demonstrate such flaws without publicizing them to the international community. That way, the Chinese government would be able to use certain hacking techniques discovered at the event for their own purposes, according to the report.

"The original decision to not allow the hackers to go abroad to competitions seems to be motivated by a desire to keep discovered vulnerabilities inside of China," Adam Segal, an expert on Chinese cybersecurity policy at the Council for Foreign Relations, said in the report.

In that 2018 competition, a Chinese hacker discovered a weakness in the core of Apple's iPhone operating system that allowed him to hack into any phone that visited a webpage encrypted with a malicious code. The hacker, Qixun Zhao, dubbed the technique "chaos" because of its disruptive nature.

Just two months later, Apple issued a quick update to fix the targeted flaw in January 2019. However, in the nearly overnight period between when the hack was discovered and when the problem was solved, China was able to use the vulnerability to specifically target Uyghurs.

"The incident is stark. One of China's elite hacked an iPhone, and won public acclaim and a large amount of money for doing so. Virtually overnight, Chinese intelligence used it as a weapon against a besieged minority ethnic group, striking before Apple could fix the problem," the report states.

Uyghur Muslim camp
Buildings at the Artux City Vocational Skills Education Training Service Center, believed to be a reeducation camp where mostly Muslim ethnic minorities are detained in China's Xinjiang region, in June 2019. GREG BAKER/AFP/Getty Images

Later in 2019, Apple issued a statement confirming that the attack took place over that two-month period and that hackers were largely targeting the Uyghur community.

"The attack affected fewer than a dozen websites that focus on content related to the Uyghur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously," the statement said.

"Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they're found. We will never stop our tireless work to keep our users safe," the company added.

Apple is not the only company to be targeted by Chinese hackers for the purpose of spying on the Uyghur community. In March, Facebook discovered that Chinese hackers used fake Facebook profiles to spy on Uyghur activists, journalists and dissidents from Xinjiang.

In some cases, the hackers created look-alike websites and accounts that were almost identical to legitimate news sites popular with Uyghur Muslims across Xinjiang. Those fake accounts contained malicious links that infected computers and smartphones if clicked, which would then allow the hackers to gain access and spy on devices.

"They tried to create these personas, build trust in the community and use that as a way to trick people into clicking on these links to expose their devices," Nathaniel Gleicher, Facebook's head of cybersecurity policy, told reporters in March.

Newsweek contacted Apple for a response, but it declined to comment beyond the 2019 press release and original report.