Sep 5, 2019

Axios Codebook

Welcome to Codebook, being written live from the Billington CyberSecurity Summit in Washington, D.C.

Today's Smart Brevity: 1,432 words, 5 minute read

1 big thing: A new window onto China's Uighur spying

A screen showing images of Chinese President Xi Jinping in Xinjiang where a pervasive security apparatus has subdued the ethnic unrest, June 2019. Photo: Greg Baker/AFP/Getty Images

Those websites we reported on last week that target iPhone users with malware appear to have been part of China's long-running effort to monitor its Uighur population.

The big picture: The security vulnerabilities that mobile malware takes advantage of are scarce and expensive, and countries are loath to risk burning their tools by widely exposing them.

  • The only scenario where it makes any economic sense to use such techniques this broadly is one involving a wealthy government trying to mount a vast surveillance effort — as with China's campaign among the Uighurs in Xinjiang.

Why it matters: No one has attempted to spread mobile malware to such a wide group before because no one has tried to surveil an entire ethnic group this way before.

Driving the news: On Thursday, Google announced it had discovered several campaigns using popular websites to indiscriminately inject malware onto iPhones.

  • Subsequent reporting showed that the campaign looked to infect not only iPhones but Android devices and Windows computers as well.
  • The firm Volexity found evidence those sites included Uighur news outlets and other Uighur community sites.

Background: Surveillance of the Uighurs is nothing new. "The Chinese government has long harbored suspicion about the Uighur population’s loyalty to China, confusing ethnic identity with separatism," said Sophie Richardson, China lead for Human Rights Watch.

But in recent years, China has tightened its heavy-fisted rule of Xinjiang province with high-tech techniques.

Biometrics: China uses widespread facial recognition research to detect and track the Uighur minority, with Western research institutions and journals aiding in the development of facial recognition to distinguish Uighur facial features using artificial intelligence.

  • China tracks Uighurs through other biometrics too, including DNA.

Digital tools: China tracks digital communications from Uighurs and stores information tapped from WiFi-enabled devices. Tourists must install a monitoring app on phones when entering the Xinjiang province that scans for Quran passages and other contraband information, and Reuters reported Thursday that China hacked telecoms to spy on Uighur travelers.

  • All of the information is filtered through a machine learning algorithm-fueled mobile app used to direct police activity.
  • Human Rights Watch reverse-engineered the app and found a wide variety of factors play a role in determining who is treated as a suspicious individual — including whether they use their home's front or back door.

The bottom line: This is not a small undertaking. China's willingness to spend on technology to surveil Uighurs has created a niche, high-growth industry among military contractors.

  • Secretary of State Mike Pompeo recently described the crackdown on Uighurs as the “stain of the century.” And the White House added a Uighur American to the National Security Council to contribute to China policy.
2. Ex-FCC head: Huawei obscures the rest of 5G security

There's important work to be done in securing 5G, the next generation of wireless service, former FCC chair Tom Wheeler told Codebook. And not all of it stems from China's most controversial telecommunications equipment company.

What they're saying: "All the attention that’s being paid to Huawei, all of the furor, all of the upheaval, has masked the broader issue of the new set of threats that 5G presents," Wheeler said.

The big picture: The decentralized nature of 5G, the wide influx of new telecom equipment and the weak security of the many new devices 5G will connect to the internet create major new security challenges that need to be addressed.

Wheeler writes about those challenges and potential solutions in a Brookings Institute report out this week.

  • The administration and Congress have largely focused on Huawei, which is accused by the U.S. government of sabotaging its equipment to aid China in espionage.
  • While Wheeler acknowledges Huawei is a threat, he worries that the rush to bring 5G products to market will introduce additional security problems lawmakers aren't addressing.

Setting standards: Wheeler says all connected products need security standards that change at the speed of technology, rather than the speed of Congress. "You cannot import a radio frequency device unless it meets established standards. The same should be true of 5G devices," Wheeler said.

  • Regulators, he believes, should be able to hold wireless companies to an industry defined set of standards for 5G security. Otherwise, he worries, proactively handling security issues puts providers at a cost disadvantage.
3. Android vulnerabilities now pricier than iPhone ones

Mascot of the current Android operating system Pie on Google company premises. Photo: Andrej Sokolow/picture alliance via Getty Images

For the first time, high-profile security contractor Zerodium is offering more money for newly discovered hackable Android flaws than for those on iPhones.

Zerodium is one of a number of brokers who funnel flaws to governments or contractors developing tools to hack devices. While Apple may offer $1 million for a high-end security flaw in iPhones in order to fix it, Zerodium offers $2 million for the same flaw for someone to be able to exploit it.

  • For the first time, Zerodium raised the bounty on the most dangerous Android bugs higher than the iPhones — to $2.5 million.
  • It also reduced the cost of some classes of iPhone vulnerabilities, citing a backlog of unsold vulnerabilities.

What does this mean for normal people? Most people reading this newsletter aren't in the market for an Android vulnerability and are more likely concerned about which phone platform offers tighter security. That's not necessarily an easy thing to figure out from pricing alone.

Supply and demand sets prices, and pricing impacts demand. Zerodium’s backlog of iPhone vulnerabilities could reflect the previous pricing scheme.

  • Both Android and Apple regularly improve security.

Between the lines: A lot of the pricing has to do with what phones the customers of companies like Zerodium want to hack, noted Katie Moussouris, the CEO of Luta Security, who studied the gray market trade of vulnerabilities with MIT. Indeed, while iPhones are more popular in the U.S., Androids are more popular worldwide.

The bottom line: All of this ignores a fundamental truth in hacking: For nearly all users across all digital devices, the greatest hacking threat doesn’t come from these extremely expensive vulnerabilities. It comes from users' willingness to click where they shouldn't, willingly install a program that shouldn’t be installed, and not patching software that needs to be patched.

  • Your threat isn’t a Zerodium customer. It's a low-level criminal who doesn’t have $2.5 million to spend to hack you.
4. In case you missed last week

Stuxnet mystery solved: A report by Kim Zetter and Huib Modderkolk of Yahoo News fills in some of the gaps on how Stuxnet, one of the first cyberattacks with physical consequences, burrowed its way onto Iranian systems in 2007.

  • Stuxnet, a project headed by Israeli and U.S. intelligence, was intended to disrupt systems enriching uranium for the Iranian nuclear weapons program.
  • Since the Iranian systems were not connected to the internet, the best known version of Stuxnet took a convoluted path to the Iranian centrifuges. It spread across the internet, infected Iranian employees' office computers, transferred onto USB drives those employees used, and infected the main systems from the USB drives.
  • The earliest version of Stuxnet couldn't do that — it only spread through USB drives. It's been unclear how that version was uploaded to the Iranian server.
  • Now we know: According to the Yahoo story, it was uploaded via a Dutch contractor servicing the Iranian systems.

A bug in remote access hardware haunts nearly 50,000 internet-facing servers: Supermicro patched a bug that allowed hackers to access remote access hardware known as baseboard management controllers (BMCs).

  • BMCs allow IT staff to adjust servers without leaving their offices. BMCs work by simulating other hardware, like keyboards or hard drives.
  • BMCs are notorious for security flaws and aren't supposed to be given access to the internet, though many offices ignore that advice.
  • The firmware security company Eclypsium discovered that Supermicro BMCs had a vulnerability in the way they mimicked USB drives that would allowing hackers access.
  • While the patch is available, Eclypsium's Rick Altherr worries some firms may fail to install it. "The common practice used to be to only update BMC firmware if you experience an issue," he told Codebook. "Now the messaging is update for security. But there's a long history of the last advice."
5. Odds and ends

The Cleveland Browns, a still-inexplicable Codebook reader pick to win the Superbowl whose very name is a synonym for decay, is pegged to win the AFC North, according to an ESPN simulation.