Oppressed Ethnic Minorities, Technology, and You
According to the recent news, an exploit in iOS was used between January and March 2020 to spy on visitors of certain websites related to an ethnic minority living in northwestern China.
This particular story is unnerving on many levels. It also has more to do with the rest of the world than some of us would like. In this piece, we recap the latest news about flaws discovered in iOS and Android, look at the consequences of such flaws, and figure how it all fits in with the bigger picture of a mild dystopia.
Troubling Case of Uyghurs in China
First things first, this story is heavily politicized. The Uyghurs, a Turkic ethnic minority mainly living in the Xinjiang region in northwestern China, have a long history of problems with the country’s ruling party. In the 21st century, it is one of the grim examples of technologies being adopted to facilitate what looks like a modern-day atrocity.
China has been exerting control over the region native to Uyghur people since the times of monarch dynasties. This led to conflicts with the locals, oppression, and terror. In more recent times, under the veil of fighting extremists and terrorism in the predominantly Muslim Xinjiang region, the Chinese government has been reportedly utilizing mobile apps, GPS tracking, and biometric surveillance to spy on the Uyghur people. The list of alleged human rights violations on the part of Chinese authorities is not something one would wish to be true.
On April 21st, 2020, a security firm Volexity reported about an exploit that affected iOS versions 12.3, 12.3.1, and 12.3.2. According to Apple’s statistics, 30% of all iPhones and 43% of all iPads that use the AppStore run on iOS 12 or older.
The vulnerability had the devices install a malicious implant, which Volexity researchers dubbed Insomnia, and could be triggered by any browser using WebKit. The attackers have rigged at least six websites related to Uyghur culture. A compromised website would check if a user’s device is vulnerable and load malicious code only if there’s a match.
The code downloaded from the compromised websites was able to access and silently send data from a list of popular messaging apps, including Telegram, Gmail, and Whatsapp, as well as realtime GPS tracking information and photos. According to Volexity’s recent findings, the implant also targets Signal and ProtonMail, both of which are used for encrypted communication.
“The inclusion of these apps suggests they are being more commonly used by the Uyghur community than before. In particular, the inclusion of Signal and ProtonMail may suggest that the Uyghurs are aware of potential monitoring of their communications and are attempting to use applications with strong security features to avoid this,” Volexity wrote.
The researchers also noted that the actor using the exploit was identified as Evil Eye, a group allegedly affiliated with Chinese authorities and involved in a series of cyberattacks on Uyghurs in 2019. Notably, both iOS and Android devices have been affected by these attacks.
Smartphones Are Full of Holes, Not All of Them Are Plugged
Keeping users in check, on April 22d, Reuters reported about an iOS vulnerability allowing hackers to access users’ mail via Apple’s Mail app. According to the researchers who discovered it, the exploit has been used in at least six attacks going back to January 2018.
Unsurprisingly, Android-powered devices are at least just as flawed as Apple products. Apparently, it took Google four years to address a problematic VPN app on the official Play Store marketplace that allowed adversaries to intercept communications and redirect users to malicious servers collecting users’ data. The app, SuperVPN, had over a hundred million downloads. The situation with the unofficial app marketplaces is more dramatic. According to ZDNet, an unidentified hacker obtained personally identifiable information on 39 million users of a third-party Android app marketplace called Aptoide. On April 17, the hacker published emails, passwords, and other data of 20 million Aptoide users.
Moreover, aside from the accidental vulnerabilities found and exploited by malicious actors until patched, some vulnerabilities may hypothetically be intentionally introduced or left unpatched by the developers. In an extreme case, a company like Google or Apple may be forced to cooperate with the U.S. government by introducing backdoors.
Back in 2016, Apple has famously declined the FBI’s request to hack into an iPhone involved in an anti-terrorist investigation. Remarkably, the government agencies haven’t been able to unlock the device themselves but eventually used an undisclosed third-party hacking tool to get limited access. As mentioned in one of the recent privacy-related pieces on forklog.media, there are plenty of tools to extract information from people’s devices and individual media files.
Considering the constant tug-of-war between privacy and national security, device manufacturers and software developers may eventually increase the extent of cooperation with the authorities. In a world stunned by the coronavirus pandemic, the problem of privacy gets even worse.
Too Close for Comfort
Reportedly, there are about 12 million Uyghur people, almost all of which leave in China’s Xinjiang region. This is almost an entire ethnos subjected to constant surveillance, not to mention the oppression and alleged inhumane treatment. Some of these people may have done wrong, but it hardly justifies condemning millions of innocents to such conditions.
And now, governments are thinking about coronavirus tracing apps that would potentially monitor hundreds of millions of users across the world. In this case, the justification for the surveillance measures looks much more reasonable. Indeed, it looks like the world needs every bit of effort to thwart the pestilence. But this isn’t necessarily the only reason.
The important thing is that an average internet user just a couple of steps away from the position of an oppressed ethnic minority in China. Effectively, all it takes is someone in a position of power to make a condemning decision to turn people’s data against them.
On the bright side, humans still have the wit that allowed ancient monkeys to figure out how to live in a savanna when they were forced down from the trees. Hopefully, we will figure out how to live in whatever world we end up in.
Subscribe to our Newsletter<
- Data Brokers: How Law Enforcement Rely on Inaccurate Data to Supplement Investigations
- Messenger App Steals User Data and Hacks Their Devices, ESET Research
- UK Supplies Spyware and Telecoms Interception Devices to Countries With Repressive Regimes
- Hacker Group Targeting Fintech Companies and Personal Data Has Been Under Radar For Years, NOD32 Developer Finds
- Stalkerware Usage in on the Rise as Domestic Violence Rates Surge During Lockdown
- Former Yahoo! Engineer Who Hacked 6,000 Email Accounts Looking for Sexually Explicit Media Avoids Jail
- ‘TikTok Spies On You and Transfers Data to Chinese Authorities.’ But Is It All That Bad?
- U.S. Senators Introduce Ultimate Backdoor Bill Banning the Use of Strong Consumer-Grade Encryption