Welcome to Codebook, being written live from the Billington CyberSecurity Summit in Washington, D.C.
Today's Smart Brevity: 1,432 words, 5 minute read
A screen showing images of Chinese President Xi Jinping in Xinjiang where a pervasive security apparatus has subdued the ethnic unrest, June 2019. Photo: Greg Baker/AFP/Getty Images
The big picture: The security vulnerabilities that mobile malware takes advantage of are scarce and expensive, and countries are loath to risk burning their tools by widely exposing them.
Why it matters: No one has attempted to spread mobile malware to such a wide group before because no one has tried to surveil an entire ethnic group this way before.
Driving the news: On Thursday, Google announced it had discovered several campaigns using popular websites to indiscriminately inject malware onto iPhones.
Background: Surveillance of the Uighurs is nothing new. "The Chinese government has long harbored suspicion about the Uighur population’s loyalty to China, confusing ethnic identity with separatism," said Sophie Richardson, China lead for Human Rights Watch.
But in recent years, China has tightened its heavy-fisted rule of Xinjiang province with high-tech techniques.
Biometrics: China uses widespread facial recognition research to detect and track the Uighur minority, with Western research institutions and journals aiding in the development of facial recognition to distinguish Uighur facial features using artificial intelligence.
Digital tools: China tracks digital communications from Uighurs and stores information tapped from WiFi-enabled devices. Tourists must install a monitoring app on phones when entering the Xinjiang province that scans for Quran passages and other contraband information, and Reuters reported Thursday that China hacked telecoms to spy on Uighur travelers.
The bottom line: This is not a small undertaking. China's willingness to spend on technology to surveil Uighurs has created a niche, high-growth industry among military contractors.
There's important work to be done in securing 5G, the next generation of wireless service, former FCC chair Tom Wheeler told Codebook. And not all of it stems from China's most controversial telecommunications equipment company.
What they're saying: "All the attention that’s being paid to Huawei, all of the furor, all of the upheaval, has masked the broader issue of the new set of threats that 5G presents," Wheeler said.
The big picture: The decentralized nature of 5G, the wide influx of new telecom equipment and the weak security of the many new devices 5G will connect to the internet create major new security challenges that need to be addressed.
Wheeler writes about those challenges and potential solutions in a Brookings Institute report out this week.
Setting standards: Wheeler says all connected products need security standards that change at the speed of technology, rather than the speed of Congress. "You cannot import a radio frequency device unless it meets established standards. The same should be true of 5G devices," Wheeler said.
Mascot of the current Android operating system Pie on Google company premises. Photo: Andrej Sokolow/picture alliance via Getty Images
For the first time, high-profile security contractor Zerodium is offering more money for newly discovered hackable Android flaws than for those on iPhones.
Zerodium is one of a number of brokers who funnel flaws to governments or contractors developing tools to hack devices. While Apple may offer $1 million for a high-end security flaw in iPhones in order to fix it, Zerodium offers $2 million for the same flaw for someone to be able to exploit it.
What does this mean for normal people? Most people reading this newsletter aren't in the market for an Android vulnerability and are more likely concerned about which phone platform offers tighter security. That's not necessarily an easy thing to figure out from pricing alone.
Supply and demand sets prices, and pricing impacts demand. Zerodium’s backlog of iPhone vulnerabilities could reflect the previous pricing scheme.
Between the lines: A lot of the pricing has to do with what phones the customers of companies like Zerodium want to hack, noted Katie Moussouris, the CEO of Luta Security, who studied the gray market trade of vulnerabilities with MIT. Indeed, while iPhones are more popular in the U.S., Androids are more popular worldwide.
The bottom line: All of this ignores a fundamental truth in hacking: For nearly all users across all digital devices, the greatest hacking threat doesn’t come from these extremely expensive vulnerabilities. It comes from users' willingness to click where they shouldn't, willingly install a program that shouldn’t be installed, and not patching software that needs to be patched.
Stuxnet mystery solved: A report by Kim Zetter and Huib Modderkolk of Yahoo News fills in some of the gaps on how Stuxnet, one of the first cyberattacks with physical consequences, burrowed its way onto Iranian systems in 2007.
A bug in remote access hardware haunts nearly 50,000 internet-facing servers: Supermicro patched a bug that allowed hackers to access remote access hardware known as baseboard management controllers (BMCs).