Apple Admits MITM iCloud Attack in China

Written by

Apple has finally confirmed that its iCloud service has been the subject of a Man in the Middle (MITM) campaign but fell short of blaming the authorities, who are suspected of the attacks.

In an update on its support pages, the US tech giant said it had become “aware of intermittent organized network attacks using insecure certificates to obtain user information.”

It continued:

“These attacks don't compromise iCloud servers, and they don't impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser.

The iCloud website is protected with a digital certificate. If users get an invalid certificate warning in their browser while visiting www.icloud.com, they should pay attention to the warning and not proceed. Users should never enter their Apple ID or password into a website that presents a certificate warning.”

Cupertino then demonstrated how users can check the contents of the digital certificate relating to the iCloud site they’re on to ensure it’s authentic – on Safari, Chrome and Firefox.

Greatfire.org, the anti-censorship body which broke the story, claimed that Chinese internet and browser firm Qihoo 360 was effectively complicit in the MITM because it would not flag an invalid digital certificate in the event of an attack.

Apple on Tuesday also apparently changed the specific IP address – 23.59.94.46 – which was being targeted by the attackers. However, it remains to be seen whether the Great Firewall will refocus efforts on a new IP address. 

If Beijing is to blame, as appears likely given that the attacks are being launched from servers owned by state-run telcos, it would seem to be a response to the increased efforts by foreign tech firms to encrypt communications.

Darien Kindlund, director of threat research at FireEye, claimed the attackers did not seem to care if they were discovered.

“It's a very weak attempt at performing Man in the Middle, because the certificates used were all self-signed. They didn't even bother to tie the issued certs back to an 'official' CN-based certificate authority,” he said.

“This type of attack, when successful, is exceptionally harmful to all users of iCloud or any other compromised service, as all sensitive data including credentials are accessible by the MITM operators.”

What’s hot on Infosecurity Magazine?