Recently, Google’s Project Zero published a report describing a newly-discovered campaign of surveillance using chains of zero day iOS exploits to spy on iPhones. This campaign employed multiple compromised websites in what is known as a “watering hole” attack. The compromised websites would automatically run the chain of exploits on anyone who visited, with the aim of installing a surveillance implant on the device. Google didn’t reveal the names of the websites or indeed who was being targeted but it soon became clear through other reporting that the likely target of this campaign was the Uyghur community, a Turkic Muslim minority in China facing mass detention and other harsh crackdowns perpetrated by the Chinese government with the most repressive policies coming into place in recent years.
Security company Volexity followed up the week after with detailed reports of similar website exploit chains targeting Android and Windows devices, again hosted on websites with a primarily Uyghur readership. This week, another publication confirmed that the Chinese government had compromised several international telcos in order to perform yet more invasive surveillance on expatriated Uyghurs.
Resetting Our Thinking on States and Zero Days
There are many important things to take away from these astonishing reports by Google and others. The biggest lesson is that we have to re-consider our understanding how state actors use zero days. The dominant thinking among security researchers has long been that governments and law enforcement would only want to use zero-day exploits sparingly and with very specific targets, to reduce the risk that an exploit would be discovered by security researchers or companies, who would then fix the bugs underlying the exploit, thus rendering it useless.
Zero day exploits can be expensive, with iPhone exploits used against a single activist reportedly fetching upwards of 1 million dollars. Google’s report seemingly upends the traditional logic of zero day economics. This time a zero day was being used to exploit thousands of users, indiscriminately targeting all visitors to a specific set of websites. But if we consider the targets of this campaign and the likely actors behind it, the economics make perfect sense. While it is new to observe a state sponsored actor burning zero-days to target an entire community instead of one individual in the community it is a reasonable tactic in this case.
These attacks likely have the goal of spying on the Uyghur diaspora outside China, to gain as much intelligence as possible on anyone associated with this movement within China or supporting the community from outside of China’s national borders. In the past, China has already arrested many community leaders, Uyghur activists, human rights defenders, as well as their relatives, and is likely interested in discovering any nascent leaders before they become a problem.
Google’s report and Apple’s recent response both miss the mark on the impact of this attack. Google’s Project Zero post was vague about the targeted nature of the attack saying “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device … we estimate that these sites receive thousands of visitors per week.” Apple’s response understates the impact of the vulnerability stating, “the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse”’as described." The reality is more complicated, this was a highly targeted attack against every member and supporter of the Uyghur community. Though this is technically a “watering hole” attack, the websites reported by Volexity as having been compromised were all hyper-targeted at the Uyghur community and its supports. Some were written in the Uyghur language, a Turkic language written with the Arabic script, which very few modern Turkic languages use today.
Google's post was light on specifics, but Project Zero researcher and report author Ian Beer highlighted an important way in which this discovery impacts the way we think about device security:
Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them. I hope to guide the general discussion around exploitation away from a focus on the million dollar dissident and towards discussion of the marginal cost for monitoring the n+1'th potential future dissident. I shan't get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time.
If you are targeting one activist, it might cost one million dollars for the necessary zero day exploit, but if you are able to monitor thousands of activists or an entire ethnic population with a single exploit suddenly the cost per person drops down to a much more affordable price. It’s unreasonable to think that economics of scale don’t apply to zero day exploits as they do to everything else. Many countries have an interest in targeting specific populations for surveillance (Palestinians in Israel, undocumented immigrants in the US, Kurds in Iran.) With that in mind, it’s likely that this is not the last time we will see a state actor targeting an entire ethnic or activist group en masse with zero day exploits.