More on the WikiLeaks release of CIA files

I was surprised that the leaks from within the CIA of nearly 9,000 documents that WikiLeaks has labeled ‘Vault 7’ that revealed information about its spying methods on Americans and how they lost control of the systems it was using have not received much greater prominence in the news, though it is now receiving more scrutiny as both the FBI and CIA launch criminal investigations into the leaks.

But The Intercept has been following the story closely and have three reports. Jenna McLaughlin describes the many malware tools used by the CIA and the targets of the attacks, one of whose goals was to take full control of Apple and Android devices.

The attacks allow for varying levels of access — many powerful enough to allow the attacker to remotely take over the “kernel,” the heart of the operating system that controls the operation of the phone, or at least to have so-called “root” access, meaning extensive control over files and software processes on a device. These types of techniques would give access to information like geolocation, communications, contacts, and more.

The CIA exploited what are called ‘zero day’ vulnerabilities without informing the companies of the security holes, thus allowing others to also use them.

Some of the attacks are what are known as “zero days” — exploitation paths hackers can use that vendors are completely unaware of, giving the vendors no time — zero days — to fix their products. WikiLeaks said the documents indicate the CIA has violated commitments made by the Obama administration to disclose serious software vulnerabilities to vendors to improve the security of their products.

At least some civil liberties advocates agree with the WikiLeaks assessment. “Access Now condemns the stockpiling of vulnerabilities, calls for limits on government hacking and protections for human rights, and urges immediate reforms to the Vulnerabilities Equities Process,” Nathan White, senior legislative manager for digital rights group Access Now, wrote in response to the new leak in a press release.

This is why Edward Snowden said these revelations are a “big deal” and that the big story here is that the US government was “developing vulnerabilities in US products, then intentionally keeping the holes open”, and thus vulnerable to hackers, actions that he described as “reckless beyond words”.

Sam Biddle discusses in more detail the ‘Weeping Angel’ project (where do they come up with these names?) that involve planting malware that turns Smart TVs into listening devices. The report initially identified only Samsung TVs but it is unlikely that they stopped there and some companies have reacted to the news.

Apple, one of numerous tech companies whose devices appear to have been targeted, released a statement late on Tuesday saying many of the vulnerabilities described by the documents were already fixed as of the latest version of its iOS mobile operating system, and aimed to reassure customers that it was working on patching the rest of the holes.

It said: “While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities,” it added. “We always urge customers to download the latest iOS to make sure they have the most recent security updates.”

Other companies mentioned in the leaks, including Microsoft and Samsung, gave briefer statements. “We are aware of the report and are looking into it,” Microsoft said. Samsung said: “Protecting consumers’ privacy and the security of our devices is a top priority at Samsung. We are aware of the report in question and are urgently looking into the matter.” Google has yet to comment on the leaks, which contain a sizeable amount of information on how to target its Android operating system.

Biddle and Micah Lee say that some initial reports that the CIA was able to overcome the encryption systems in supposedly secure social network sites like WhatsApp and Signal were overstated.

By specifically mentioning these apps, news outlets implied that the agency has a means of getting through the protections built into the chat systems. It doesn’t. Instead, it has the ability, in some cases, to take control of entire phones; accessing encrypted chats is simply one of many security implication of this. Wikileaks’ own analysis of the documents at least briefly acknowledges this, stating that CIA “techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied.”

Contrary to the clear implication from these journalists and news sources, the documents WikiLeaks published do not appear to show any attack specific to Signal or WhatsApp, but rather a means of hijacking your entire phone, which would of course “bypass” encrypted chat apps because it thwarts virtually all other security systems on the device, granting total remote access to the CIA.

There is going to be renewed scrutiny of government spying now that FBI director James Comey has declared that privacy is dead.


  1. says

    There is going to be renewed scrutiny of government spying now that FBI director James Comey has declared that privacy is dead.

    No, there isn’t. Bush demonstrated that the law can be ignored and the constitution can be ignored, and Obama built on that. The US secret police have always done these things and have made it clear that they always will. So far the one penny that hasn’t dropped is the FBI -- but we already know they have a similar stack of tools to CIA and NSA, and access to NSA data, besides. Since congressional “representatives” threw the citizenry under the bus when it came to NSA spying, pretty much the only action I expect to see on this front is that the CIA will now spend a lot of money developing new tools. They won’t get more competent, because that’s hard. They’ll just get more expensive.

  2. Owlmirror says

    the ‘Weeping Angel’ project (where do they come up with these names?)

    At least in this instance, probably Doctor Who. The episode they first appeared in was titled Blink. I suspect the project-namer had in mind the way that the angels can observe (and move) while not being observed (because quantum).

    Says Wikipedia:

    The Angels are “quantum locked”, allowing them to move unbelievably fast when unobserved, while they turn to near-indestructible stone when they are observed. As gazing upon themselves will permanently lock them in that form, the Angels otherwise cover their eyes, creating their “weeping” appearance.

    So, to sum up, a pop-culture reference to abuse of the QM observer effect.

  3. says

    reports that the CIA was able to overcome the encryption systems in supposedly secure social network sites like WhatsApp and Signal were overstated

    The media spin on this is distressing. First off, there are clues that indicate that they’re not just going after the endpoints. If they’re tweaking NTP settings in devices, to change where they sync their time from, that means that they probably have identified time-variant pseudorandom number generators in some implementations: if you can record when a system asks for the time, and when they generate a random session key, you can crack their comms offline. I don’t know about Whisper and WhatsApp but I would not do as the journalists do, and say “these apps are probably OK.” Not by a long shot. Besides, the more distressing part about the story is that they’ve been spending huge amounts of money farming exploits against iOS and other device operating systems: why take over the app if you can take over the entire endpoint and install a keylogger? It works better, anyway.

    There’s another aspect to this whole thing that is often neglected, which is server-side vulnerabilities. For example, take this apache struts bug that’s getting attention right now. Well, when if some spook has a bug like that that allows them to remotely scrape the unlocked secret side of a public certificate? How often are the certs changed? If you can compromise a server’s key you own all the communications into and out of that server until the key is changed, and they’d damn well better not change it in-band. During the Snowden dump, I believe that this was the technique for getting at google and other services ‘from the server’ that was referred to. Of course, I don’t know. Those that do know aren’t telling (yet!) I’d be very surprised if there wasn’t a whole separate server-side exploit group farming key collection.

    What honks me off about the media coverage of this is that the media are basically saying: OK you have a ruthless highly motivated enemy with unlimited funds, that has done all this hard work to take down your security protections over here but since the leaks don’t say anything about over there then that stuff is probably still OK. LOLwut?

  4. Mano Singham says

    I am becoming increasingly aware that as a result of not having watched the Dr. Who TV series, I am woefully lacking awareness of a whole range of pop culture references.

Leave a Reply

Your email address will not be published. Required fields are marked *