Categories
technical

iCloud face man-in-the-middle attack in China

Yesterday, I was posted an article to report iCloud got Man-in-the-middle attack in China,
http://www.zhoushuguang.com/2014/10/icloud-ssl-attack.html
and repost to two major Chinese geek community,
http://www.freebuf.com/news/47744.html
http://www.solidot.org/story?sid=41521

Chinese attacker is running a Man-in-the-middle attack on SSL encrypted traffic between iCloud server and China Unicom users. The ISP (probably asked by the government to do so) replaced the certificate of iCloud with a self-issued one. The government conducted similar attacks against GitHubGoogleWindows Live and Yahoo.

Evidence and Reproduce:

iCloud.com using CDN provide by akamai.com ,they have a lot of DNS result when you access iCloud.com, such as:  23.48.140.239 , 23.13.186.46 , 23.59.94.46

When you access those IP via SSL like https://23.59.94.46/ , it will popup the SSL warning and you can check the certificate issued by trust certificate authority, but did not match the domain because we are using IP directly. end user get above DNS records randomly when access iCloud.com.

we are confirm that https://23.59.94.46/ face man-in-the-middle attack in China, when people who live in China mainland access https://23.59.94.46/ , it will popup the SSL warning, but the certificate not issued by trust certificate authority, it is self-issued. it means China ISP can steal anyone iCloud user’s information when they using DNS Pollution(DNS spoofing)  and Man-in-the-middle attack both. now we don’t know the attacker using anycast technology to fake response from 23.59.94.46/ or just insert content between end user and real 23.59.94.46 , it seems not personal resource can m
ake it. it is possible State sponsored attack and operate by China Unicom.

fake_cert

self-issued certificate

fake_cert_part2
self-issued certificate

here is the trace route result when I using China VPN:

gongzuola:~ zola$ traceroute 23.59.94.46

traceroute to 23.59.94.46 (23.59.94.46), 64 hops max, 52 byte packets

1  1.1.1.1 (1.1.1.1)  56.559 ms  55.089 ms  53.591 ms

2  122.195.100.1 (122.195.100.1)  59.504 ms  59.694 ms  67.255 ms

3  221.6.161.115 (221.6.161.115)  60.369 ms  59.645 ms  59.935 ms

4  221.6.161.201 (221.6.161.201)  65.318 ms  66.238 ms  64.967 ms

5  219.158.99.157 (219.158.99.157)  72.216 ms  75.174 ms  71.490 ms

6  219.158.23.118 (219.158.23.118)  71.202 ms  86.678 ms  70.070 ms

7  219.158.97.90 (219.158.97.90)  80.942 ms  80.418 ms  78.451 ms

8  219.158.39.198 (219.158.39.198)  145.922 ms  148.226 ms  152.103 ms

9  ae-1.r00.osakjp02.jp.bb.gin.ntt.net (129.250.2.253)  119.905 ms  120.990 ms  120.094 ms

10  a23-59-94-46.deploy.static.akamaitechnologies.com (23.59.94.46)  135.492 ms  141.408 ms  131.901 ms

gongzuola:~ zola$

man-in-the-middle attack ONLY affects people who live in China. 23.48.140.239 , 23.13.186.46 did not face man-in-the-middle attack.

icloud_nomal
normal certificate from iCloud.com

after my report, there are many media report that issue:

http://www.freebuf.com/news/47744.html
http://www.solidot.org/story?sid=41521

http://mashable.com/2014/10/20/china-attacks-apple-microsoft/
http://it.people.com.cn/n/2014/1021/c1009-25874921.html
http://www.dw.de/a-18009603?maca=chi-rss-chi-all-1127-rdf

Leave a Reply

Your email address will not be published. Required fields are marked *