An award-winning iPhone hack was used by the Chinese government to spy on Uyghur Muslims, giving Beijing total control of their phones.
A Chinese white hacker who participated in a hacking contest discovered a zero-day vulnerability and won a prize in the contest. Usually, these vulnerabilities are reported to the developer, fixed, and then published. However, it was reported that the Chinese government
created an exploit that exploited this vulnerability and developed a surveillance tool to spy on Uighurs.
The hacking contest Pwn2Own is an event attended by millions of security researchers from around the world. Zhou Hongyi, CEO of Chinese cybersecurity giant Qihoo 360, warned Chinese security researchers attending these events that ‘the vulnerabilities they found would be unusable.’ Hongyi argued that by keeping these discoveries in China, the country would gain ‘strategic value.’
In an unexpected statement, the billionaire founder and CEO of the Chinese cybersecurity giant Qihoo 360—one of the most important technology firms in China publicly criticized Chinese citizens who went overseas to take part in hacking competitions. In an interview with the Chinese news site Sina, Zhou Hongyi said that performing well in such events represented merely an “imaginary” success. Zhou warned that once Chinese hackers show off vulnerabilities at overseas competitions, they can “no longer be used.” Instead, he argued, the hackers and their knowledge should “stay in China” so that they could recognize the true importance and “strategic value” of the software vulnerabilities.
Beijing agreed. Soon, the Chinese government banned cybersecurity researchers from attending overseas hacking competitions. Just months later, a new competition popped up inside China to take the place of the international contests. The Tianfu Cup, as it was called, offered prizes that added up to over a million dollars.
Soon after, the Chinese government banned its citizens from entering the contest, instead creating their own version of Pwn2Own:
The inaugural event was held in November 2018. The $200,000 top prize went to Qihoo 360 researcher Qixun Zhao, who showed off a remarkable chain of exploits that allowed him to easily and reliably take control of even the newest and most up-to-date iPhones. From a starting point within the Safari web browser, he found a weakness in the core of the iPhones operating system, its kernel. The result? A remote attacker could take over any iPhone that visited a web page containing Qixun’s malicious code. It’s the kind of hack that can potentially be sold for millions of dollars on the open market to give criminals or governments the ability to spy on large numbers of people. Qixun named it “Chaos.”
Apple fixed the vulnerability in January 2019, two months after the exploit was announced. However, in the second half of 2019, Google discovered and announced that a large-scale hack using the vulnerability discovered by Mr. Zhao was being carried out.