CIA hackers are targeting smartphones, computers, Smart TV, and… cars?
Yesterday, WikiLeaks published thousands leaked internal CIA documents.
The leak, dubbed “Vault 7”, is claimed to be
“the largest ever publication of confidential documents on the agency”
The first documents released appear to be fairly recent:
The first full part of the series, “Year Zero”, comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina.
I try to create a press review (updated regularly) with the highlights that emerged:
Apple late on Tuesday issued a statement to TechCrunch designed to alleviate concerns that the company’s products might still be vulnerable to a laundry list of CIA exploits. In short, Apple maintains that many of the iOS vulnerabilities the CIA previously relied upon have already been patched.
“On Android there are a couple of dozen exploits that they’ll need to manage,” Shaulov told Forbes. The report notes that the vulnerabilities detailed in the WikiLeaks CIA documents appear to only target Android 4.4 and earlier versions, but that still leaves hundreds of millions of users at risk. According to Google’s own Android version distribution data, 33.4% of all active Android devices run Android 4.4 or older versions of Android.
As for the alleged CIA dump, Wikileaks claims a former US government hacker or contractor provided portions of the archive.
“The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyber weapons,” Wikileaks’ press release reads.
The CIA did not respond to Motherboard’s request for comment.
The “Weeping Angel” project’s page from 2014 is a prime example: It discusses ways to turn certain 2013-model Samsung “smart TVs” into remote listening devices; methods for disabling the LED lights that indicate the TV is on; and suggestions for fixing a problem with the exploit in which the WiFi interface on the TV is disabled when the exploit is run.
ToDo / Future Work:
Build a console cable
Turn on or leave WiFi turned on in Fake-Off mode
Parse unencrypted audio collection
Clean-up the file format of saved audio. Add encryption??
According to the documentation, Weeping Angel worked as long as the target hadn’t upgraded the firmware on the Samsung TVs. It also said the firmware upgrade eliminated the “current installation method,” which apparently required the insertion of a booby-trapped USB device into the TV.
On ValigiaBlu, an italian online magazine, Tommaso Tani tries to reassure readers about the vulnerabilities used to access mobile devices:
La “buona notizia” è che non c’è nulla di (particolarmente) nuovo sotto al sole: soprattutto per quanto riguarda Android, le vulnerabilità utilizzate sono reperibili in rete (o nella darknet) e affliggono principalmente i dispositivi non aggiornati (aggiornate sempre il software, sia del telefono che del computer). Idem per i device Apple: apparentemente, nessun exploit veniva utilizzato per versioni di iOS (il sistema operativo) successivo all’8, come si evince da una perfetta tabella riassuntiva.
(The “good news” is that there is nothing (particularly) new under the sun: especially regarding to Android, vulnerabilities used are available online (or in the darknet) and mainly afflict outdated devices (update software, on the phone and on the computer). Same for Apple devices: apparently, no exploit was used for versions of iOS (the operating system) after the version 8, as evidenced by a perfect summary table.)
The documents, if they are indeed legitimate, include charts that detail iOS exploits that would allow the CIA to surveil iPhone users and, in some cases, control their devices. Some of the exploits may have been developed in-house, while others appear to have been purchased, copied or downloaded from non-governmental sources.
However, Apple says that many of the iOS exploits in the Wikileaks dump have already been patched and it is working to address any new vulnerabilities.
So could the CIA be using secret emoticons to communicate secrets? The more likely explanation is developers working for the intelligence agency were just having a little fun in the office.
Vault 7 documents show that by 2016, the CIA’s hacking arm had over 5000 active hackers. One hacking tool, which was done in cooperation with UK intelligence, is called Weeping Angel, an exploit that allows the CIA to use Samsung smart TVs to listen in on conversations even when the device is “off.”
In case you missed the news the CIA might be using your TV to spy on you, a peek at Twitter could help get you up to speed.
The social network was all over WikiLeaks’ Tuesday bombshell of thousands of documents it says were taken from the agency.
Evidence mounts showing CIA & FBI knew about catastrophic weaknesses in the most-used smartphones in America, but kept them open — to spy. https://t.co/mDyVred3H8
— Edward Snowden (@Snowden) March 7, 2017
— WikiLeaks (@wikileaks) March 8, 2017
— Matteo G.P. Flora (@lastknight) March 8, 2017
— Philip Schuyler (@FiveRights) March 8, 2017
— Kim Dotcom (@KimDotcom) March 8, 2017
— SwiftOnSecurity (@SwiftOnSecurity) March 8, 2017
— WikiLeaks (@wikileaks) March 7, 2017
So in the case of “Year Zero”, it doesn’t matter which messenger you use. No app can stop your keyboard from knowing what keys you press. No app can hide what shows up on your screen from the system. And none of this is an issue of the app.
Documents included in yesterday’s WikiLeaks Vault 7 dump reveal the CIA used code from public malware samples to advance its technical capabilities.
A special operational group existed in the CIA named Umbrage, which was tasked with reviewing public malware and embedding selected features into custom CIA hacking tools.
One of the hidden gems included in the Vault 7 data, dumped yesterday by WikiLeaks, is a document detailing bypass techniques for 21 security software products.
The full list of security products included in the WikiLeaks Vault 7 dump are as follows:
– Trend Micro
– Panda Security
– Malwarebytes Anti-Malware
– EMET (Enhanced Mitigation Experience Toolkit)
– Microsoft Security Essentials
According to the documents:
– CIA hackers targeted smartphones and computers.
– The Center for Cyber Intelligence is based at the CIA headquarters in Virginia but it has a second covert base in the US consulate in Frankfurt which covers Europe, the Middle East and Africa.
– A programme called Weeping Angel describes how to attack a Samsung F8000 TV set so that it appears to be off but can still be used for monitoring.
But James Lewis, an expert on cybersecurity at the Center for Strategic and International Studies in Washington, raised another possibility: that a foreign state, most likely Russia, stole the documents by hacking or other means and delivered them to WikiLeaks, which may not know how they were obtained. Mr. Lewis noted that, according to American intelligence agencies, Russia hacked Democratic targets during the presidential campaign and gave thousands of emails to WikiLeaks for publication.
…in the documents are tools for hacking embedded operating systems, including a Python-based tool for sending commands to a remote keyboard emulator pushed to an embedded device.
“As for what ‘Equation’ did wrong… All their tools shared code,” one user, who like all the others was identified only by a unique identifier WikiLeaks used in place of a username, concluded on February 18, 2015, two days after the Kaspersky Lab findings were published. “The custom RC5 was everywhere. The techniques for positive ID (hashing) was used in the same way in multiple tools across generations.”
One nugget of particular interest to Trump supporters: a section titled “Umbrage” that details the CIA’s ability to impersonate cyber-attack techniques used by Russia and other nation states. In theory, that means the agency could have faked digital forensic fingerprints to make the Russians look guilty of hacking the Democratic National Committee.
One of the most shocking documents within Vault 7 is the CIA’s possibility of hacking cars. In detailed notes from a branch meeting, the CIA discusses the possibility of infecting the vehicle control systems used by modern cars and trucks. “The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations,” Wikileaks explained.
“Weeping Angel”, named after a terrifying Doctor Who monster that you really shouldn’t blink at, is installed via a USB stick.
If you’re worried about the prospect of an intelligence agency breaking into your home in order to plug a malicious USB stick into the back of your Samsung Smart TV then I’d argue you probably should also be worrying that intelligence agencies are breaking into your house full stop.
Snowden on Twitter said the files amount to the first public evidence that the U.S. government secretly buys software to exploit technology, referring to a table published by WikiLeaks that appeared to list various Apple iOS flaws purchased by the CIA and other intelligence agencies.
An Apple spokesman could not immediately be reached for comment.
The documents refer to means for accessing phones directly in order to catch messages before they are protected by end-to-end encryption tools like Signal.
Signal inventor Moxie Marlinspike said he took that as “confirmation that what we’re doing is working.” Signal and the like are “pushing intelligence agencies from a world of undetectable mass surveillance to a world where they have to use expensive, high-risk, extremely targeted attacks.”
On a darker front, the documents claim that the CIA maintains remote hacking programs to turn various connected devices, including smart TVs, into recording and transmitting stations, with the feeds sent back to secret CIA servers.
Other capabilities “would permit the CIA to engage in nearly undetectable assassinations,” WikiLeaks said. One document lays out actions that the CIA allegedly took to infiltrate and take over vehicle control systems in cars and trucks.
Christian Renaud, a 451 Research director specializing in IoT, said there are three possible scenarios at play:
1. It’s all a smear campaign by the Russians, Chinese or others to raise concerns about the US intelligence community;
2. It’s not a smear campaign and the NSA helped leak CIA sensitive data to gain points on the CIA, their rival; or
3. A third party penetrated the CIA and leaked the information à la Snowden to raise awareness of what can only be described as a methodical security war against enemies and US citizens by an intelligence agency.
Open Right Group is keen to make it clear that:
The CIA can hack phones but Signal and WhatsApp remain very good ways to communicate when using a mobile phone for nearly everyone.
WikiLeaks confirmed that it will not release the tools and exploits “until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.”
The leaked documents also revealed that the CIA used hacking tools developed by the British intelligence agencies (GCHQ and MI5), the NSA, the FBI and also contractors.
We can state quite equivocally that there is nothing in the leaked CIA files which indicates any sort of crack of ProtonMail’s encryption. And despite claims to the contrary, there is also no evidence that Signal/Whatsapp end-to-end encryption has been breached.
Following the Edward Snowden leaks, the U.S. government has promised to disclose serious vulnerabilities that represent a high risk or affect a product that is widespread in critical infrastructure. If the files obtained by WikiLeaks are genuine, the CIA breached that commitment.
– Bitdefender told SecurityWeek that the public Vault 7 files show that the CIA had been having problems evading the company’s products.
– Kaspersky Lab said one of the vulnerabilities mentioned in the report was patched in 2009, while another was addressed in December 2015.
– Comodo also said its product appeared to pose problems to the CIA.
– Microsoft, whose EMET and Security Essentials products are mentioned in the leak, told SecurityWeek that it’s aware of the report and looking into it
– Panda Security says it has yet to find exploits or tools targeting its products in the publicly available files.
The CIA’s cyberweapon arsenal also includes a cross-platform malware, dubbed Hammer Drill, that targets Microsoft, Linux, Solaris, MacOS, and other platforms via viruses infecting through CDs/DVDs, USBs, data hidden in images, and other sophisticated malware.
What more interesting? Hammer Drill v2.0 also added air gap jumping ability used to target computers that are isolated from the Internet or other networks and believed to be the most secure computers on the planet.
Well, how about this: CIA hackers are obscenely well-versed in Japanese one-line ACSCII art.
A group within the CIA’s Center for Cyber Intelligence, called Engineering Development Group (EDG), for instance, was responsible for building and supporting the backdoors, malicious payloads, Trojans, and viruses that the CIA used globally for its covert operations. The group’s management system apparently contains details on around 500 projects involving tools for penetrating, infesting, data exfiltration, and command and control.
However, at now in my opinion the best analysis has been made by Errata Security, that tries to turn off easy alarmism:
The CIA didn’t remotely hack a TV.
The docs are clear that they can update the software running on the TV using a USB drive. There’s no evidence of them doing so remotely over the Internet.
The CIA didn’t defeat Signal/WhattsApp encryption.
The CIA has some exploits for Android/iPhone. If they can get on your phone, then of course they can record audio and screenshots. Technically, this bypasses/defeats encryption — but such phrases used by Wikileaks arehighly misleading, since nothing related to Signal/WhatsApp is happening.
The CIA isn’t hoarding 0days.
For one thing, few 0days were mentioned at all. The CIA’s techniques rely upon straightforward hacking, not super secret 0day hacking
How is hacking cars and phones not SIGINT (which is the NSA’s turf)?
The answer is via physical access. For example, they might have a device that plugs into the ODBII port on the car that quickly updates the firmware of the brakes.