Revelations Illustrate Aggressive CIA Hacking, Sloppy Security Of Smart Services

Thought about buying a smart phone, smart TV, smart car? – think twice.

Wikileaks today (7 March) released over 8,000 documents illustrating hacking activities of the Central Intelligence Agency, CIA. In what has been described by some commentators as a bigger leak than the Snowden revelations about the National Security Agency in 2013, the whistleblower platform allowed a glimpse into the CIA hacking into smart TVs and smartphones and presented a list of zero day vulnerabilities found, bought and sometimes shared with colleagues in other agencies, including British colleagues. Wikileaks announced that today’s leak was the “Year Zero” tranche of the much bigger “Vault 7” project: more redacted details from the documents and much more documents will be published.

Abusing Samsung smart TVs as bugs to listen into conversations of people in their homes is one of the emblematic programs picked by the Wikileaks team to illustrate the CIA hacking activities.

“Weeping Angel”, as the program is called, manipulates the software settings of the smart TVs keeping them in a disguised “Fake-Off” mode, while at the same time “recording conversations in the room and sending them over the Internet to a covert CIA server,” as Wikileaks describes in one of the exemplary analysis about the CIA hacking tools.

As of October 2014, “the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks,” the platform writes. Tools to spy on people via Android-based and Apple phones are also listed, as well as compromising software for networks.

“A Github for Malware”

Most tools of Vault 7 tools presented so far were rather ordinary, wrote Stephane Bortzmeyer, researcher at the French Afnic, answering questions from Intellectual Property Watch. It had been known that smart TV security was “ridiculous” and that Android “has security bugs.” He also noted that the complete lack of security in “connected things” was well-known. Still, it was very impressive and rather scary “that all these tools are gathered, documented, made available, tested… A Github for malware.”

Hacking and cracking at the CIA obviously was not a side event, Bortzmeyer wrote, stating, “It is well-organised and professionally managed.”

According to Wikileaks’ analysis at the end of 2016 the CIA’s hacking division which formally falls under the CIA Center for Cyber Intelligence had over 5,000 registered users and had produced more than a thousand trojans, viruses and malware programs. The CIA had “created its own NSA,” Wikileaks stated.

Zero Day Vulnerabilities – Making Software Less Secure

For many technical experts one piece of critical information are lists of so-called “zero day” vulnerabilities the agency has collected against various systems, including Microsoft, Apple iPhone and Android. These vulnerabilities exploit security gaps in the code not known to the companies and the users. Year Zero delivered “first public evidence USG secretly paying to keep US software unsafe,” tweeted Edward Snowden. The whistleblower called it “reckless beyond words” that the US government was developing vulnerabilities in US products and kept the holes intentionally open.

Nicholas Weaver in his first analysis on Lawfare called on the CIA to inform affected companies. “While I am reasonably tolerant of the US government retaining exclusive iOS 0-days, it should not be holding onto the 0-day once there is reason to believe it has been compromised by an adversary.”

Wikileaks Founder Julian Assange warned against the proliferation risk in the development of these cyber ‘weapons’. “Comparisons can be drawn between the uncontrolled proliferation of such ‘weapons’, which results from the inability to contain them combined with their high market value, and the global arms trade,” Assange wrote.

Speaking of cyber war, the documents also include recommendations for software developers and their agency users on how to obfuscate their traces, including technical hints like using regular standard protocols to mingle with regular traffic or simply avoid time stamps that could be related to US office hours and the like.

 Vault 7 Fallout

The leak has triggered the search for the source. Wikileaks in its own press release just notes that the “CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation.”

The collection, which amounted “to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

In a rather cynical debate, participants of a technical mailing list considered, how much the now revealed code is in the public domain and up for grabs.

With regard to the origin of the leaks, well-known security expert Bruce Schneier wrote on his blog that pending further technical analysis, there was at least a possibility that the tools could have been released by a group called “Shadow brokers” which many experts thought were Russian. https://www.schneier.com/blog/archives/2017/03/wikileaks_relea.html

Yet given the recommendation to obfuscate where you come from and who you work for – which much certainly has been learned by many parties in the big brother game – attribution might remain elusive.

Image Credits: Wikileaks, US