In mid-October, groups of coders converged at a convention center in Chengdu, southwest China, to participate in a hacking tournament known as the Tianfu Cup. On the table, there was nearly $ 1.5 million in cash up for grabs. The challenge was to break into some of the most commonly used software tools and platforms – Windows 10, Google Chrome, iOS 15, and Microsoft Exchange Server.
In the end, most of them were hacked with methods never seen before, uncovering a host of vulnerabilities known as 0-day (zero-day) vulnerabilities.
What the pirates got
The recently launched iPhone 13, along with Windows 10, Google Chrome and Microsoft Exchange were successfully breached in the Tianfu Cup, the fourth edition of the cybersecurity competition which organizers say is open to participants from all over the world.
The biggest slice of the pie went to Kunlun Lab, a Beijing-based cybersecurity company that hacked most devices in the shortest possible time, taking home $ 654,000. Kunlun CEO, who tweets as @ mj0011, said the iPhone hack only took 15 seconds (it was worth $ 120,000 itself).
Zero-day vulnerabilities give malicious actors the ability to break into devices and spy on or steal data from their targets. For example, the notorious Israeli cyber weapon company NSO Group used such loopholes – known as exploits – in iOS to deliver the Pegasus spy tool to the targets’ phones. Apple dispatched a patch in mid-September, urging iPhone users to install it immediately.
The hacks of other software are no less serious. For example, successful breaches of Windows 10, Chrome, and Safari will allow attackers to target people on PCs and laptops. A 0-day exploit in Microsoft Exchange Server can compromise the security of thousands of businesses that use it as a business email service provider.
Is this worrying? Yes
The Tianfu Cup largely follows in the footsteps of a similar hacking competition known as Pwn2Own, which recently took place in the United States. Such competitions have clear rules for disclosing vulnerabilities, as hacker conferences typically do.
The most common premise is that these vulnerabilities must first be notified to the companies that made these tools and devices, so that the flaws can be patched before their details are released.
All affected vendors are expected to release their fixes soon.
But it’s a bit complicated with the Tianfu Cup. Recorded Future Threat Analyst Devin Thorne and Australian Strategic Policy Institute (ASPI) Principal Investigator Samantha Hoffman said in an editorial published earlier this year that there is a real risk that the rules of Disclosure of vulnerabilities instituted by the Chinese government put the country’s national interest first.
It is not just a fear. In 2018, the Tianfu Cup-winning iPhone hack that year was used to hack the phones of Uyghur militants and spy on them. Beijing did not recognize him. The researchers said the signs of targeting Uyghurs began almost immediately after the Tianfu Cup, and until Apple had a chance to plug the loophole. Even then, many of those who did not upgrade their device software continued to be targeted.
Uyghurs are a religious minority that China has been – by all independent testimony – accused of persecuting on a systemic scale, an allegation the state denies.
More recently, there have been concerns that China’s new network product security vulnerability management regulations, which came into effect on September 1, will help Beijing’s security apparatus get their hands on 0-day vulnerabilities before they are released. ‘they cannot be notified to anyone (except the affected company) abroad. This includes a ban on notifying private companies of bug bounties (they coordinate the disclosure of vulnerabilities and help white hat hackers get payment from companies to help them secure their products).
This ties in with previous surveillance fears related to laws and regulations in China. In July 2020, cybersecurity researchers told HT that China’s intelligence law, which came into effect in 2017, allows the government to access all data collected by Chinese businesses and citizens.
Why should India be careful?
India is not seen as a major cyberpower. The Belfer Center for Science and International Affairs at Harvard Kennedy School ranks China as the second most powerful cyber actor in the world, behind the United States.
India is not in the top 10 – it ranks 21, behind countries like Malaysia and Vietnam – according to the Belfer Center’s National Cyber Power Index 2020.
The ranking takes into account both capacity and intention, and India’s ranking in the low capacity and low intention quadrant.
This is where the Tianfu Cup can be a lesson for India. The origin of the Chinese hacking tournament lies in nationalism. In 2017, China banned its security researchers from participating in competitions like Pwn2Own, months after Qihoo 360 (one of China’s largest IT companies) co-founder Zhou Hongyi said in an interview. to a Chinese media outlet that knowledge of undisclosed software vulnerabilities “should stay in China”.
Like China, India must foster a talent pool in the field and encourage cybersecurity research through awards and recognition, as the Tianfu Cup does.
After that will come the doctrinal decisions that require careful calibration. Recent high-profile hacks, such as the SolarWinds breach that touched the heart of the U.S. government, demonstrate that doctrinal questions are complex and that even the world’s highest cyberpower, the United States, may not have again the perfect answer.
China is a significant potential adversary for India, and the capacity asymmetry is too great to continue to exist at a time when the next interstate offensive is likely to involve a significant cybernetic component.
Opinions expressed are personal