The iOS vulnerabilities offer more piecemeal components of a hacker tool. While one exploit offers a remote compromise of a target iPhone, the WikiLeaks documents describe the others as techniques to defeat individual layers of the iPhone's defense. That includes the sandbox that limits applications' access to the operating system and the security feature that randomizes where a program runs in memory to make it harder to corrupt adjacent software.
"Definitely with these exploits chained together [the CIA] could take full control of an iPhone," says Marcello Salvati, a researcher and penetration tester at security firm Coalfire. "This is the first public evidence that’s the case."
The leak sheds some limited light on the CIA's sources of those exploits, too. While some of the attacks are attributed to public releases by iOS researchers, and the Chinese hacker Pangu, who has developed techniques to jailbreak the iPhone to allow the installation of unauthorized apps, others are attributed to partner agencies or contractors under codenames. The remote iOS exploit is listed as "Purchased by NSA" and "Shared with CIA." The CIA apparently purchased two other iOS tools from a contractor listed as "Baitshop," while the Android tools are attributed to sellers codenamed Fangtooth and Anglerfish.
In a tweet, NSA leaker Edward Snowden pointed to those references as "the first public evidence [the US government] is paying to keep US software unsafe."
Internet of Spies
While the leak doesn't detail the CIA's attack techniques for desktop software like Windows and MacOS as explicitly, it does reference a "framework" for Windows attacks that seems to act as a kind of easy interface for hacking desktop machines, with "libraries" of vulnerabilities that attackers can swap in and out. It lists attacks that bypass and even exploit a long list of antivirus software to gain access to target desktop machines. And for MacOS, the document references an attack on computers' BIOS, the software that boots before the rest of the operating system. Compromising that can lead to a particularly dangerous and deep-rooted malware infection.
"This is something we already know that can be done, but we haven’t seen it in the wild," says Alfredo Ortega, a researcher for security firm Avast. "And by a government, no less."
The most surprising and detailed hack described in the CIA leak, however, targets neither smartphones nor PCs, but televisions. A program called Weeping Angel details work in 2014 to turn Samsung's smart TVs into stealthy listening devices. The research notes include references to a "Fake Off" mode that disables the television's LEDs to make it look convincingly powered down while still capturing audio. Under a "to-do" list of potential future work, it lists capturing video, too, as well as using the television's Wi-Fi capability in that Fake Off mode, potentially to transmit captured eavesdropping files to a remote hacker.
A tool called TinyShell appears to allow the CIA hackers full remote control of an infected television, including the ability to run code and offload files, says Matt Suiche, a security researcher and founder of the UAE-based security firm Comae Technologies. "I would assume that, by now, they would definitely have exploits for Samsung TVs," Suiche says. "This shows that they’re interested. If you’re doing the research, you’re going to find vulnerabilities." Samsung did not respond to WIRED's request for comment.
The fact that the CIA mixes this sort of digital espionage with its more traditional human intelligence shouldn't come as a surprise, says the Atlantic Council's Healey. But he says the sheer volume of the CIA's hacking capabilities described in the WikiLeaks release took him aback nonetheless. And that volume calls into question supposed limitations on the US government's use of zero-day exploits, like the so-called Vulnerabilities Equities Process---a White House initiative created under President Obama to ensure that security vulnerabilities found by US agencies were disclosed and patched, where possible.
If Vault 7 is any indication, that initiative has taken a back seat to assembling a formidable array of hacking tools. "If the CIA has this many," Healey says, "we would expect the NSA to have several times more."
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3