WikiLeaks has recently published a treasure trove of over 8,000 pages of CIA documents. Among many other bombshells, it appears that CIA has been stockpiling far more vulnerabilities than the U.S. government has implied. In particular, the agency has demonstrated its ability to compromise mobile phones.
Unlike NSA’s blanket surveillance, CIA’s attacks are more targeted. According to the leaked documents, CIA focuses on gathering attack methods that can break into specific devices, and implements them in a limited way to minimize the risk of exposure. The exposure of any technique could result in the prompt patching of the underlying vulnerability, rendering the given attack vector useless.
Among the documents was an Android attack directory that listed 26 zero-day (unknown and unpatched) exploits, all but two of which were “weaponized” for use in CIA attacks. This arsenal included 15 privilege escalation exploits, seven remote access exploits, two remote information leaks, and one persistence exploit. Of these, the root privilege escalation exploits are the most powerful as malware can use these to “become” the phone, able to install any software and access any part of the device. The remote information leaks are important as they allowed CIA malware to extract information from targeted devices. The persistence exploit is also notable as it allows CIA attacks on Android Kitkat devices to persist even if compromised devices are powered off and restarted. Thus far, Google has refused to comment.
Historically, Android users have not uniformly upgraded to newer versions of the operating systems as they have come out. Pushing security updates to devices has sometimes been the responsibility of carriers, and many Android users are still using outdated operating systems. Although successive versions of both Android and iOS have frustrated attackers such as CIA by closing vulnerabilities, users who have not upgraded their devices will still be exposed to the agency’s older techniques even after these companies patch these security holes in their software.
CIA also published a chart of their iOS exploits by version. By iOS 9.2, the latest version referenced in the leaked documents, the agency had tools to use or induce the following: device access, kernel leak, kernel exploits, code signing defeat, reboot persistence, and a kernel exploit framework. In addition to vulnerabilities similar to those that were exploited by Android devices, the defeat of Apple’s code signing techniques means that CIA could install malicious software without it being rejected by the operating system. Overall, CIA’s attack tools allowed the agency to control every aspect of any iOS device running what were the most up to date versions of the operating system.
In response, Apple has released a statement assuring users that “initial analysis indicates that many of the issues leaked today were already patched in the latest iOS… we will continue to work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.” Given that the most recent of listed exploits was in 2015, the fact that most of these issues have been patched is unsurprising. CIA has since had ample time to develop techniques to circumvent security on subsequent versions of iOS.
Because CIA’s techniques compromised targeted devices, all activity on the phones can be captured and forwarded to CIA. Although apps such as WhatsApp, Viber, and Signal provide robust security features, that becomes irrelevant if the device itself has already become compromised. Take the following example: a phone that has been compromised by CIA would take what the user types and secretly store it in the phone’s memory without interfering with the phone’s normal functionality. Even if the user is typing within a “secure” app, that app will not notice that the text the user types is already being stored. That application will perform its usual secure processes, but these are irrelevant because that information has already been captured by a malicious process and can be sent to CIA. This technique can be applied to any data, such as audio or video, which would be sent through a secure messaging app.
Secure apps rely on strong encryption, which CIA appears to be unable to break. Instead, CIA has targeted the underlying device partially to circumvent app encryption. Infected smartphones can have their audio, text, and geo-location data routed to the agency, while also activating sensors such as the device’s camera.
Phones are not CIA’s only target – the agency has met success with Samsung’s F8000 smart TV’s through a USB connection-based hack. In cooperation with GCHQ, the British government’s primary signals intelligence organization, CIA developed several abilities in a project codenamed WEEPING ANGEL after the Dr. Who villain. The agencies’ new capabilities include using the smart TV’s microphones to transmit audio and putting the TV into a “fake off” mode where it could still record and transmit audio when users try to turn the TV off. The report listed future goals to make the Samsung smart TV transmit video as well as the ability to access Wifi even while the TV is in “fake-off” mode. For now, Samsung has only said that they are “aware of the report in question and are urgently looking into the matter.”
This is not the first time Samsung’s smart TV’s have presented privacy issues. In 2015, those devices’ privacy policies were revealed to read, in part, “please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.” Samsung has since lengthened and clarified its terse and ominous phrasing, but this was nonetheless a watershed moment in understanding the potential for misuse in connected devices such as smart TV’s.
Overall, the latest leak has painted a picture of CIA as an agency that targets specific devices in limited attacks using undiscovered security holes. Although WikiLeaks claims to have received the code behind many of the exploits used by CIA, this has not yet been released as many of the underlying vulnerabilities have not yet been patched. Although we only have descriptions of attacks and their effects on targeted devices, the effect on the connected device security communities should be chilling.
In the near term, companies will issue updates that will close the outlined vulnerabilities. CIA has undoubtedly been hard at work developing new exploits since those that have been listed in the leaked documents, but every successive update frustrates the attempts of hackers as new security techniques are incorporated into the operating system, forcing hackers such as CIA’s to work harder in order to develop attacks. Hopefully, this leak will usher growth and a renewed emphasis on mobile security.
View the 2017 Enterprise Mobility & Connected Devices Research Outline to learn more.