China's Cyber War on the Protesters

By Paul Rosenzweig
Monday, October 6, 2014, 8:30 AM

As Benjamin Bissell noted a few days ago, Hong Kong protestors have developed some interesting ways of trying to avoid Chinese repression, including the use of an app, FireChat, that allows them to communicate without using the internet at all.  But, as you might expect, China was not likely to stand idly by.  Consider this report from The Diplomat, outlining some of China's efforts to counteract the protestor's activities.  They have, on the whole been incredibly sophisticated.

  • They include a quite complex new piece of malware, dubbed Xsser, that infects both Android and Apple iOS systems -- such cross-platform code is very rare and much harder to write.
  • It also involves only the third known Man-in-the-Middle attack originating in China -- this one against Yahoo.
  • And, of course, we've seen traditional internet censorship increase, now blocking search terms such as "Occupy Central" and "Hong Kong students"

Perhaps most disturbing of all, it may not be the case that FireChat is as secure and sophisticated as it seems.  As one security researcher in the hacker space Breizh-Entropy put it:

[I]n the current state FireChat suffer from several flows that makes it unsuitable for an event like "Umbrella Revolution". First the application is closed source and its internal mechanism are pretty difficult to understand at first. It is hard to fully comprehend wether [sic] a message goes public or stay locally. The lack of information regarding this matter makes it irresponsable [sic] to ask users to fill in their real name before using the application.

During the study, we stressed that not only every message sent are broadcasted locally (both Bluetooth and Wifi) regardless of the room, but we also show how easy it was to intercept and send information from/to FireChat users. Given the political context of the Umbrella Revolution, I would advise people to stop using Firechat or at least try to avoid leaking any information that could link to their real identity.

Another of my security colleagues reminded me that a supposedly useful  communications app from the Arab Spring also had a significant security hole.  Which raises an interesting question -- are the security gaps accidental, or are they, perhaps, purposeful and part of an effort to seduce protestors to use seemingly useful, but insecure communications?

In cyber conflict, it seems like we are always "in a maze of twisty passages, all alike."