Investigation into suspected Apple ID leak

[[246116]]

A large-scale theft of Apple IDs among Apple mobile phone users is sweeping across the country.

In several QQ rights protection groups where Apple IDs have been stolen, there are nearly a thousand victims from all over the country.

But this is just the tip of the iceberg.

"There are still many people who don't even know their Apple ID has been stolen, and some victims do not participate in rights protection. The actual number of victims should be far greater than this number," said Huang Yang (pseudonym), who has been engaged in network security work for many years.

In his opinion, this is a black industry chain that is 100% targeting Chinese Apple mobile phone users. It is a team-based crime and the scale is not small.

Later, the reporter was pulled into a group for Apple ID theft protection, where more than 400 victims discussed how to defend their rights against Apple. Their accounts were stolen from February to October this year, with the majority of users having their accounts stolen from September to October. The amount of money stolen ranged from a few hundred to tens of thousands of yuan, with most of them concentrated in 2,000-3,000 yuan.

Huang Yang told Jinwan Finance that he has seen several cases of Apple ID theft since July and August this year. After communicating with many colleagues in the mobile phone security industry, he found that after the Apple ID of some users was stolen, the WeChat chat history in their mobile phones was quickly cracked and leaked. "Even the WeChat account password can be accurately obtained. This is obviously not a problem that WeChat can solve unilaterally."

Huang Yang said that they had been tracking it and finally found that it was a black industry. "If they could get tens to hundreds of millions of yuan in funds, it would be a huge income for any black industry team."

So how were these Apple IDs leaked?

"This time the theft does not seem to be caused by hackers exploiting a vulnerability in Apple phones. Instead, it is more likely to be a database collision or an insider crime," Zhao Wu, CEO of Beijing White Hat Technology, told reporters.

The so-called database collision refers to hackers using a large amount of leaked user data on the Internet and the same user habits (same username and password) to try to log in to other websites, thereby causing the information on other websites to be cracked.

Why does such a large-scale ID theft occur in China?

"At the end of February this year, Apple moved the iCloud database of Chinese users from the United States to Yunshang Guizhou." Huang Yang was silent for a moment and replied.

Stolen WeChat chat records

In the afternoon of October 11th, Tencent Building, Shenzhen.

As the risk control manager of Tencent's WeChat payment department, Li Cheng (pseudonym) is anxiously discussing the issue of WeChat backup on iCloud with his colleagues.

iCloud is a personal cloud storage service launched by Apple, which is mainly used to store photos, videos, documents and App data on devices such as iPhone and iPad, so as to achieve synchronous updates between various devices.

The strangest thing about this Apple ID theft incident is that not only the users’ Apple ID account passwords were leaked, but also some of the users’ WeChat chat records.

But Li Cheng told Jinwan Finance: "WeChat chat records are usually encrypted and backed up in the phone. If you change your phone, you won't be able to see these chat records."

So, how do hackers get the WeChat chat records in a person's iPhone?

After analysis, Li Cheng came to the following conclusion: Because iCloud backs up the entire WeChat App data, after the hacker gets the Apple ID account password, he uses iCloud to restore the WeChat App on a different phone. If he knows your WeChat account and password at the same time, he can log in to WeChat with the password and see the decrypted chat history.

According to the relevant agreement between WeChat and Apple mobile phones, WeChat will back up the chat records and other data in the application software on the Apple mobile phone. When iCloud synchronizes WeChat data, these chat records will also be uploaded to iCloud simultaneously.

What is most worrying here is that iCloud not only backs up WeChat data, but also almost all App data in most mobile phone software.

In a QQ rights protection group, some users discovered that there were large, unknown amounts of spending on their Alipay bills.

On October 10, Alipay released a message on its official Weibo account: Recently, Alipay detected that the IDs of some iPhone users had been stolen, resulting in financial losses to the payment tools bound to the relevant IDs.

"The iCloud function of backing up all the apps on the phone is very dangerous. Once the ID is leaked, the user's privacy in all the apps on the phone will be in danger," said Li Cheng.

But what worries Li Cheng is that it is currently difficult for WeChat to unilaterally restrict the upload of WeChat chat history to Apple's iCloud, because iCloud backup is done in the background of the phone, and the foreground app is generally not aware of it. As long as the user chooses to agree to the backup, all the data of the foreground software will be uploaded to iCloud.

On June 1, 2017, the "Cybersecurity Law of the People's Republic of China" was officially implemented. The law made new regulations for foreign companies operating in China. In order to protect consumer rights to the greatest extent, sensitive data must be stored on domestic servers.

Therefore, on January 10 this year, Apple announced that starting from February 28, the iCloud service in mainland China will be operated by Yunshang Guizhou Big Data Industry Development Co., Ltd. ("Yunshang Guizhou" for short). Apple mobile phone users whose Apple ID country or region is set to China are all affected by this change.

According to the agreement, Apple authorized Yunshang Guizhou to be the sole partner of Apple in operating iCloud services in mainland China. Yunshang Guizhou, as the operating entity, operates iCloud services in mainland China.

Apple will build two iCloud data centers in China, one in Ulanqab, Inner Mongolia and the other in Gui'an, Guizhou. The Gui'an data center was officially started in May this year and will cost $1 billion.

The most intuitive experience for Apple mobile phone users is that under the iCloud cloud logo there is a note "Operated by Yunshang Guizhou Company", which was once seen as a strategic step for Apple to enter China.

According to The Paper, the iCloud service module on Apple's official website has released a relevant explanation on whether Cloud Guizhou can view the data in users' iCloud. In the "Access Your Account and Content" column, it is clearly stated: "You understand and agree that Apple and Cloud Guizhou have the right to access all data you store in this service, including the right to share, exchange and disclose all user data (including content) to and between each other in accordance with applicable laws."

Some netizens reported that after transferring iCloud to Guizhou, there was a surge in iMessage spam messages. Many netizens said, "It was fine before, but since transferring iCloud to Guizhou, I keep receiving iMessage spam messages."

However, the relevant person in charge of Yunshang Guizhou once responded to the media: "iMessage does not belong to the scope of Yunshang Guizhou's iCloud business in mainland China."

A Zhihu user responded to the question "What does it mean that iCloud services in mainland China will be operated by Yunshang Guizhou?" and said, "I agreed to the migration of iCloud services yesterday, and I have received marketing fraud calls from Guizhou since 1 a.m. today. I have received 2 calls so far. My number is located in Shanghai and I have been using it for 8 years. I have only received marketing fraud calls from Jiangsu, Zhejiang and Shanghai. This is the first time I have received one from Guizhou."

The Million-Dollar Apple Bug

On October 11, Apple CEO Tim Cook showed up at an Internet company in Beijing. No one knows why he came.

But at this time, countless rights protection calls have been made to Apple's customer service hotline across the country, and most of their appeals have not received a response, and refunds have not been approved.

How will Apple solve the problem of Apple ID theft?

In Huang Yang's opinion, if the problem was caused by hackers who had exploited a vulnerability in Apple phones, then it would undoubtedly be Apple's responsibility and the loss would be borne by Apple. But he believes that the probability of this happening is very low.

"Do you know how much a vulnerability in an Apple phone is worth in the market? At least more than $1 million."

As early as 2016, the US "cyber arms dealer" Zerodium publicly offered a reward of 1 million US dollars to anyone who could crack an Apple phone, and there was no upper limit. In other words, as long as you can find a vulnerability in an Apple phone, you can immediately get a bonus of at least one million US dollars, or even more.

Even if they don’t sell vulnerabilities, hackers can create an app distribution market if they have access to Apple phone vulnerabilities. Through this vulnerability, some apps can be directly installed on users’ iPhones without going through the review terms of the Apple App Store, which is also a big business.

In the early days, hackers might have been playing pranks. But now, vulnerabilities have become the core strategic resources of various countries. "Just like weapons, they can be sold at high prices on the open market. There is no need to become a hacker to make money by committing crimes, and they will not be easily used by the public," said Zhao Wu, CEO of White Hat Technology.

Nowadays, the annual salary of top white hats in China (people who use hacking technology to maintain fairness and justice in network relationships) is more than one million yuan, and some security personnel even earn tens of millions of yuan a year. Because they can find tens of thousands of dollars for each vulnerability they discover, and some teams can find hundreds of vulnerabilities a year.

The world's top hacker competition Pwn2Own, held in Vancouver in 2017, has been held for 10 consecutive years, with a prize of up to one million US dollars. There were many experts on the scene, and 11 teams from China, the United States, and Germany completed projects to break into mainstream browsers, operating systems, virtual machines, document software, etc.

"The vulnerability is one-time. You can use it to hack, and the company will quickly fix it and it will be gone. In terms of input-output ratio, database collision has the lowest cost, does not require too much technology, and has been proven to be effective," said Zhao Wu.

In recent years, large-scale user data leaks have frequently occurred.

In 2015, NetEase's user database was leaked, affecting a total of nearly 500 million records. The leaked information included user name, password (MD5), password hint question/answer (MD5), registration IP, birthday, etc.

In December 2016, a 12G data packet from JD.com began to circulate on the black market, including user names, passwords, email addresses, QQ numbers, phone numbers, ID cards and other dimensions, with data amounting to tens of millions.

In August this year, about 500 million pieces of user data including registration information on Huazhu Hotel Group’s official website, identity information for hotel check-in and hotel room booking records, as well as guests’ names, mobile phone numbers, email addresses, ID numbers, and login account passwords were leaked.

Because few users set different passwords for each platform, hackers will use the large amount of user data that has been leaked on the Internet to try to log in to other websites.

At the same time, the business of selling leaked data and privacy has continued despite repeated bans.

In 2017, the Ministry of Public Security directed the cracking of a major case of theft and trafficking of citizens' information, arrested 96 suspects and initially seized 5 billion pieces of stolen citizens' personal information involving logistics, medical care, social networking, banking, etc.

In Huang Yang's opinion, many criminal hackers nowadays don't use much technology at all, and most of them succeed by using leaked data to "crash the database". But this time, the Apple ID was stolen, and it is more likely to be a database crash or an insider.

It is understood that in the information security industry, 30% of current data leaks come from hackers and 70% come from insiders.

Since hackers are nameless, most hacker attacks are for profit.

In this Apple ID theft incident, in addition to the account being leaked, Apple’s mobile phone’s forced password-free payment was the main reason why a large number of users suffered financial losses.

In the QQ rights protection group, Apple’s mandatory password-free payment will become the focus of rights protection for users of stolen Apple phones.

The reporter of "Tonight Finance" found that the built-in payment methods in the Apple mobile phone account include Alipay, WeChat, bank card, quick payment, etc., and when binding the Apple account to payment methods such as Alipay or WeChat, you must choose password-free payment.

The best way to cash out money on the Internet is to top up games or purchase props, so many people's accounts were stolen and used to buy game equipment or open paid subscriptions. "The higher the paid subscription volume, the more money the hacker gets," Zhao Wu said.

Who is to blame for the two sides passing the buck?

Although Apple responded on October 11 that it was actively addressing the problem of ID theft, Apple China companies in Shanghai, Beijing and other places said they were unable to process refund requests from users whose accounts had been stolen.

Some Apple phone users' Alipay accounts were also stolen. When Jinwan Finance asked how Ant Financial, the company that owns Alipay, would handle the situation, a staff member from Ant Financial's marketing and public relations department said that this was mainly due to the leakage of Apple IDs. If the account is leaked, any payment method will be at risk.

In fact, similar cases have occurred many times in the security field before. "Even if the hacker is eventually caught, no one or company will claim responsibility for the large number of victims," ​​Zhao Wu said.

According to Article 287 (using computers to steal public or private property) and Article 264 of the Criminal Law of the People's Republic of my country, if the amount of stolen public or private property is huge or there are other serious circumstances, the offender shall be sentenced to fixed-term imprisonment of not less than three years but not more than ten years.

Once a hacker is caught, legal sanctions await him. But how should the relevant companies be held responsible?

On January 3, 2018, two vulnerabilities were found in Intel chips, called "Meltdown" and "Spectre". Hackers can use these two vulnerabilities to read device memory and obtain sensitive information such as passwords and keys. Intel, ARM, AMD and other CPU products have been affected. Among them, Intel CPUs were the most seriously affected, with all Core 1 to 8 generations being affected.

After the incident, giants such as Intel, Microsoft, Google, Apple, Amazon, ARM, etc. joined forces to try to resolve the vulnerability problem.

Huang Yang believes that issues in the security field often require the joint efforts of multiple parties to be resolved.

In this incident where Apple ID was stolen, at least in the forced password-free payment process, Apple had design security issues.

"Apple's mandatory password-free payment is for convenience. It chooses convenience over security. Adding passwords, secondary identity authentication or biometrics can greatly help users avoid credit card fraud." Zhao Wu said that after the victims defend their rights, Apple may modify the default mandatory password-free payment.

For ordinary Apple mobile phone users, in order to prevent mobile phone information from being stolen, Zhao Wu believes that there are mainly the following methods:

First, try to set the payment account and password differently on each platform; second, turn on the two-step verification and try to turn off password-free payment; third, try not to use free wifi, or connect to public wifi, do not use public charging cables, do not scan unknown QR codes, etc.

(Zhao Xuejiao also contributed to this article)