Scores of White Hat hackers participate in Bug Bounty Programs and win huge rewards. Typically the exploits are handed over to the concerned company and published only after it is fixed. A new report highlights how the Chinese government used a prize-winning iPhone hack and turned it into a surveillance tool to spy on Uyghur Muslims.

The exploit allowed the government to take complete control of target phones and thus launch a mass surveillance campaign. Previously, Chinese security researchers used to participate in the Pwn2Own event to discover zero-day vulnerabilities. It is a global event and attracts hundreds of security researchers from across the world.

The CEO of Chinese giant Qihoo 360 unexpectedly accused Chinese participants of being disloyal to the country.

In an unexpected statement, the billionaire founder and CEO of the Chinese cybersecurity giant Qihoo 360—one of the most important technology firms in China—publicly criticized Chinese citizens who went overseas to participate in hacking competitions. In an interview with the Chinese news site Sina, Zhou Hongyi said that performing well in such events represented merely an “imaginary” success. Zhou warned that once Chinese hackers show off vulnerabilities at overseas competitions, they can “no longer be used.” Instead, he argued, the hackers and their knowledge should “stay in China” so that they could recognize the true importance and “strategic value” of the software vulnerabilities.

Zhou certainly had the attention of the Chinese government. In 2017 China banned security researchers from attending global events. Soon enough, they came up with their event called “The Tiafu Cup.” The participants were awarded cash prizes amounting to more than a million dollars.

The inaugural event was held in November 2018. The $200,000 top prize went to Qihoo 360 researcher Qixun Zhao, who showed off a remarkable chain of exploits that allowed him to easily and reliably take control of even the newest and most up-to-date iPhones. From a starting point within the Safari web browser, he found a weakness in the core of the iPhone’s operating system, its kernel. The result? A remote attacker could take over any iPhone that visited a web page containing Qixun’s malicious code. It’s the kind of hack that can potentially be sold for millions of dollars on the open market to give criminals or governments the ability to spy on large numbers of people. Qixun named it “Chaos.”

Apple fixed the flaw in January 2019, two months after it was discovered. Later that year, Google released a report pertaining to a hacking campaign. They discovered that iPhones were being hacked in mass and contributed the attack to five exploit chains. This included the exploit that won the top prize in China’s cybersecurity event.

The incident is stark. One of China’s elite hacked an iPhone, and won public acclaim and a large amount of money for doing so. Virtually overnight, Chinese intelligence used it as a weapon against a besieged minority ethnic group, striking before Apple could fix the problem. It was a brazen act performed in broad daylight and with the knowledge that there would be no consequences to speak of.

It is alleged that the Chinese followed the “strategic value” plan devised by Qihoo’s Zhou Hongyi. In other words, the Tianfu cup had revealed a significant hack. The exploit was handed over to the Chinese intelligence who used it to spy on Uyghurs. Zhou refuted the allegations and claimed the exploit could have been used after the patch. However, both Apple and Google had documented that the exploit was used before Apple patched it.

Our Take

State-sponsored attacks are not something new. The Chinese government is accused of oppressing Uyghur Muslims human rights for many years. Ideally the government agencies should not meddle with cybersecurity events, and companies like Apple should try to enhance their bug bounty program further.