To access data from unsuspecting users, the Chinese Communist Party (CCP) could be exploiting a universal authentication process that is thought to be secure, but in reality may not be, cybersecurity experts warned.
While encryption remains the preferred method to secure digital data and protect computers, in some cases, the very digital certificates used for authentication on the Internet are allowing the Chinese regime to infiltrate various computer networks and wreak havoc, they said.
Bodies around the world, known as “Certificate Authorities” (CA), issue digital certificates that verify a digital entity’s identity on the Internet.
A digital certificate can be compared to a passport or driver’s license, Andrew Jenkinson, CEO of cybersecurity firm Cybersec Innovation Partners (CIP) and author of the book “Stuxnet to Sunburst: 20 Years of Digital Exploitation and Cyberwarfare,” told The Epoch Times.
“Without it, the person or device they are using cannot be according to industry standards and vital data encryption could be bypassed leaving what was assumed to be encrypted in plain text form,” he said.
Through cryptography, digital certificates are used to encrypt internal and external communications that prevent a hacker, for example, from intercepting and stealing data. But invalid or “rogue certificates” can manipulate the entire encryption process, and as a result, “millions of users have been given a false sense of security,” Jenkinson said.
Layers of False Trust
Michael Duren, executive vice president of cybersecurity firm Global Cyber Risk LLC, explained that digital certificates are typically issued by trusted CAs, and equal levels of trust are then passed on to intermediate providers. However, there are opportunities for a communist entity, a bad actor, or another untrustworthy entity to issue certificates to other “nefarious folks” that would appear to be trustworthy but are not, he said.
“When a certificate is issued from a trusted entity,” Duren said, “it’s going to be trusted, but what the issuer could actually be doing is passing that trust down to someone that shouldn’t be trusted.”
Duren said he would never trust a Chinese certificate authority for this reason, adding that he is aware of a number of companies that have banned Chinese certificates over issuing them to entities that cannot be trusted.
Chinese certificate authorities, Jenkinson said, make up a small proportion of the overall sector, and the certificates they issue are typically confined to Chinese entities and products.
Prince, a member of the hacking group Red Hacker Alliance who refused to give his real name, uses his computer at their office in Dongguan, China’s southern Guangdong province on Aug. 4, 2020. (Nicolas Asfouri/AFP via Getty Images)
In 2015, certificates issued by the China Internet Network Information Center (CNNIC), the state-run agency that oversees China’s domain name registry, were called into question. Google and Mozilla banned CNNIC certificates upon unauthorized digital certificates connected to several domains. Both Internet firms objected to CNNIC delegating its authority to issue certificates to an Egyptian company, which issued the unauthorized certificates.
According to Jenkinson, the CNNIC certificates were banned because “they had back doors in them.”
“A back door means [the Chinese certificate authority] could literally take over administration access and send data back to the mothership,” he said.
Since 2016, Mozilla, Google, Apple, and Microsoft have also banned Chinese Certificate Authorities WoSign and its subsidiary StartCom over unacceptable security practices.
Despite these bans on Chinese digital certificates in recent years, the CCP has not been deterred and is playing the long game, Jenkinson warned.
He pointed to an alarming discovery made by his cybersecurity firm two years ago affecting a multinational consulting company.
Typically digital certificates are valid for a couple of years, depending on the certification authority, and renewal is required to keep them valid and the data they are supposed to protect secure, he said.
“But in 2019, CIP Chinese discovered certificates that were in place for 999 years,” Jenkinson said.
His firm made this discovery when examining the laptops of a prominent global consulting company.
Signs that depict the four members of China’s military indicted on charges of hacking into Equifax Inc. and stealing data from millions of Americans are seen shortly after Attorney General William Barr held a press conference at the Department of Justice in Washington on Feb. 10, 2020. (Sarah Silbiger/Getty Images)
Jenkinson brought this security flaw to the firm’s attention, and offered services to secure its computer and customer networks. But the company declined.
“Either they are incredibly complacent, or they are complicit,” he said, adding that the company’s clients include U.S. government entities.
This multi-billion-dollar company’s failure to remedy this issue means that hundreds of thousands of people could be exposed to Chinese infiltration via this firm’s lax security, Jenkinson said.
The firm is compromising its customers every time someone uses one of their laptops, he added. For instance, companies or clients using the company’s services could be held to ransom, have their intellectual property stolen, or be the recipient of malicious codes planted for later use.
This company is “in breach of every regulation of privacy known to man—and they just want to dismiss it,” the cybersecurity professional said, particularly pointing to the European Union’s strict data protection laws.
And if this information were made public, Jenkinson said, the repercussions would be extensive.
“Imagine a waterhole attack or a drive-by attack, one where a cyber criminal can just sit there and easily gain access to capture data without even thinking about it or having to decrypt it—because it’s all in plain text [due to a rogue certificate or configuration error],” he said.
For such a large reputable company to choose not to protect their clients is “madness,” Jenkinson said.
A ‘Slippery Slope’
Economic losses from cyber crimes are far from trending in the right direction, Jenkinson noted.
Global losses from cyber crime exceeded $1 trillion in 2020, according to a report from computer security company McAfee. In 2021, losses are expected to escalate to over $6 trillion, research firm Cybersecurity Ventures said.
Jenkinson predicts that economic losses will exceed $10 trillion by 2025. At this pace, “this will impact every man, woman, and child,” he said. “The slippery slope we’re on, well, we’re greasing it ourselves.”
To reverse this trend, as a start, “people should not be using CNNIC digital certificates,” Jenkinson said.
Duren of Global Cyber Risk agreed, saying, “Anything coming out of a state-controlled entity like communist China acting as a certificate authority should not be trusted.”
CAs need better controls and oversight, Jenkinson said. “Without this nobody has any chance of knowing what digital certificates are being used, considering that a standard laptop contains hundreds of thousands of digital certificate instances.”
He noted that Chinese computer products will predominately use Chinese digital certificates. Therefore, he said, users of such products should be aware that their security could be compromised as a result.
J.M. PhelpsFreelance reporter read more
J.M. Phelps is a writer and researcher of both Islamist and Chinese threats.