iCloud attack is blunt and obvious

A man-in-the-middle (MITM) attack in China against logins to Apple's iCloud is easily-detected by web browsers, but appears sophisticated in other ways.

The attack against Apple's iCloud in China is a perplexing one. It seems to be designed to be noticed rather than to fool anyone.

The original report, it's worth noting, is by greatfire.org, an activist group "bringing transparency to the great firewall of China." That doesn't make anything they say inaccurate, but perhaps they downplay the considerable mitigating factors against the attack.

The mechanisms in the attack are what makes it both ominous and amateurish. The ominous part comes from the fact that the attackers were able to hijack an IP address (specifically to which icloud.com's DNS pointed, and redirect users to a fake site.

This is not the sort of thing that happens a lot in the US, although attackers would love to be able to do so. There are very hard ways you might accomplish it by attacking ISPs, but the easy way is with inside access to the ISP. This is the sort of access a government might have. In fact, the address is actually owned by Akamai, so the interception really needs to be happening at the ISP.


But then, when the user gets to the fake site, they almost certainly will see a big, obvious error message telling them that something is wrong with the site. The connection to iCloud, as to any responsible service these days, uses SSL/TLS for security. A real site will get a certificate issued by a trusted certificate authority, and browsers and other client software check the certificate to see if it was issued by an authority in the trusted list. The fake iCloud.com certificate on the fake iCloud site is not signed by a trusted authority, but rather by the attackers and therefore the public key cryptography checks performed by the browser will show that the certificate was not in fact signed by Apple.

This is the point where the user gets that big, obvious error. In Safari it is an interstitial screen — one that uses the entire display — that shows the error message nearby. (My example uses a different site, but the rest of the message would be the same.) Follow the details and it says that the certificate for the site is not trusted.

I also tested current versions of Internet Explorer, Firefox and Chrome, and Internet Explorer 8 on Widows XP. All of them produced an interstitial screen warning that the user just couldn't miss. See examples below.


It's also worth noting that this is yet another case where two-factor authentication would prevent abuse of the stolen credentials.

Greatfire.org says that the Qihoo 360 "secure browser" does not detect the fake certificate. I can't verify this.

But with the large majority of users immediately being warned off the attack, is it really meant to be taken seriously? Motherboard speculates that the incident is a warning to Apple that they are being watched. This is possible *if* the attack really comes from the government, which isn't necessarily true, but even then it seems like an odd mechanism for warning Apple. Why not just tell Apple what they have to say? If there was a message here I missed it.