From Iain Thomson, 8 Mar 2017
First, though, a few general points: one, there’s very little here that should shock you. The CIA is a spying organization, after all, and, yes, it spies on people.
Two, unlike the NSA, the CIA isn’t mad keen on blanket surveillance: it targets particular people, and the hacking tools revealed by WikiLeaks are designed to monitor specific persons of interest. For example, you may have seen headlines about the CIA hacking Samsung TVs. As we previously mentioned, that involves breaking into someone’s house and physically reprogramming the telly with a USB stick. If the CIA wants to bug you, it will bug you one way or another, smart telly or no smart telly. You’ll probably be tricked into opening a dodgy attachment or download.
That’s actually a silver lining to all this: end-to-end encrypted apps, such as Signal and WhatsApp, are so strong, the CIA has to compromise your handset, TV or computer to read your messages and snoop on your webcam and microphones, if you’re unlucky enough to be a target. Hacking devices this way is fraught with risk and cost, so only highly valuable targets will be attacked. The vast, vast majority of us are not walking around with CIA malware lurking in our pockets, laptop bags, and living rooms.
Windows: The CIA’s UMBRAGE team has a modest collection of attack tools for systems powered by Microsoft’s widely used operating system, all listed here. These tools include keystroke loggers, sandbox escape ropes, and antivirus avoidance mechanisms. The CIA analysts found flaws in Control Panel, and the ability to add data streams to NTFS without detection to smuggle data onto storage drives. Windows library files are useful stepping stones to malicious code execution, as are Windows Theme files.
DLL files [PDF] are a popular attack vector for the CIA PDF]. They are also handy for concealing malware in applications, and the documents show that common apps have been used for spying by exploiting DLL weaknesses.
One DLL attack technique shows that someone at the agency is a bit of a Will Ferrell fan. The RickyBobby program, named after the character in the film Talladega Nights, uses several .NET DLLs and a Windows PowerShell script to implant a “listening post” on a target Windows PC.
A version has been used in the field on USB drives, according to this document. The software, with attack tools dubbed Fight Club, was put onto six thumb drives and “inserted into the supply chain of a target network/group.”
If you’re using Windows Exchange 2010, the CIA has a tool for that, dubbed ShoulderSurfer. This performs a code injection attack against the Exchange Datastore manager process that would allow an agent to collect emails and contacts at will and without the need for an individual’s credentials.
Exchange 2007 is even easier to crack, according to the CIA. For a detailed rundown on Exchange and all its flaws, this document [PDF] should be helpful to Microsoft engineers looking to fix the problems.
OS X: Users of Apple’s OS X shouldn’t look too smug, however. The CIA has tools for you too – pages of them.
A lot of hacking tools cover OS X El Capitan, but presumably these have been updated to subvert new versions of the operating system. That said, it does seem through reading these files that Apple poses a significantly more difficult challenge for the CIA than Redmond’s code.
Analysts note that the operating system can be resilient to applications that try to slip malware onto a Mac. But it’s still possible to whitelist spying software; subvert NetInstall images, creating zombie programs; and surreptitiously get at the kernel.
One interesting project the files touch on is dubbed QuarkMatter. This is a technique for hiding spying software persistently on an OS X system by using an EFI driver stored on the EFI system partition. Another, dubbed SnowyOwl, uses a pthread in an OpenSSH client to potentially pull off remote monitoring of a target system.
iOS: The CIA files show an extensive list of iOS exploits. Some of these were developed in-house, some obtained from the NSA or Britain’s GCHQ, and others were purchased from private vendors. It looks as though at least some of the security bugs were fixed by Apple in recent iOS updates – versions 8 and later – or are otherwise no longer exploitable. For instance, the Redux sandbox workaround and Xiphos kernel exploit were both used to hack “iPhone 4S and later, iPod touch (5th generation) and later, iPad 2 and later,” but both flaws were fixed after being publicized by the Chinese jailbreaker Pangu.
While it’s likely the exploit list is an old one, a lot of them may still work. iOS 8 appears to have killed off a few, but most of the exploits don’t have death dates listed.
The Dyonedo exploit, developed by GCHQ, allows unsigned code to run on iOS devices, while the CIA’s homegrown Persistence tool allows “a symbolic link [to] be created (on iOS 7.x) or an existing file can be overwritten (iOS 8.x) that will run our bootstrapper, giving [users] initial execution on every boot.”
While full root is a goal, the documents also detail an attack known as Captive Portal. This sets up the browser to route all web use through a server run by the CIA.
Android: There’s a much longer list for Android exploits than that for its Cupertino cousin’s operating system.
There are exploits such as Chronos and Creatine that attack specific flaws in Qualcomm Adreno GPU drivers, and others like Starmie and Snubble only work against specific Samsung handsets. There are also a lot of Chrome-based attacks for Android that will only work on older versions of the browser. There’s a full list of version histories here.
There are also three implants listed – Bowtie, SuckerPunch, and RoidRage. The release notes for RoidRage show it can monitor all radio functions and allows SMS stealing.
While the bulk of the exploits listed allow for escalation of privileges, allowing malicious apps to gain more or total control of the infected device, there are some like BaronSamedi, Dugtrio, and Salazar that allow for remote access. Many of these have been shut down on phones running Android version 4.4 and higher, but bear in mind this list is three years old and the revised grab bag of exploits currently in use could be more effective against more modern Android builds.
Antivirus: The CIA stash contains rundowns on most of the popular antivirus systems and how to defeat them. Much of the information has been redacted but there are a few snippets left.
The documents note that evading F-Secure’s detection mechanisms is possible, but that the software has a pretty good heuristics engine that can pick up Trojan software. The agency has devised two ways around this using RAR file string tables or cloning a RAR file manifest file.
Avira has similarly good heuristics, the files note, but two similar attacks appear to work. Avira is a high-value target, since the documentation notes that it is popular among counter-terrorism targets.
Bitdefender’s heuristic engine has also caused the CIA some problems when it comes to detecting the agency’s malware. However, one file notes: “cleartext resources or simple RXOR-ed resources don’t seem to cause Bitdefender to trip.”
Comodo’s code is described as a “giant PITA” for its malware detection capabilities. However, it has a weak spot and doesn’t scan the contents of the Recycle Bin. The notes say malware can be stored safely here, but may be detected if run.
Ever since version six of Comodo’s code, things have become a lot easier and the CIA has an exploit dubbed the Gaping Hole of DOOM. That version ignores malware that it thinks is part of the Windows core operating system.
“Anything running as SYSTEM is automatically legit under 6.X. ANYTHING,” the document states. “Let that sink in. Got a kernel-level exploit? Good, because you can drop the kitchen sink and the contents of your garage and as long as you continue to run as SYSTEM you are golden. Yeah.”
Details on AVG are sketchy, but the CIA trove indicates at least two ways to defeat the security software. These include a fake installer and malware that can be dropped onto a system and activated by a specific web link.
Antivirus code and other programs can also be targeted by a series of tools developed under the moniker WreckingCrew. The vast majority of these were under development, but two were finished and could be used to shut down security software and to “troll people.”
Signal/WhatsApp: In some good news for privacy advocates it appears that the CIA has had no luck in cracking the popular encrypted chat protocol created by Whisper Systems, which is used in Signal and WhatsApp.
CD/DVD attacks: There are still plenty of people in the world using CDs and DVDs, so the CIA has developed code called HammerDrill to exploit the storage medium.
Version two of the software allows an infected computer to log what CDs and DVDs are being read by the user, for how long, and the data they contain. The CIA also added a function in the second build that allows it to install a hidden Trojan in new discs being burned, if the target is using the popular Nero burning software.
The developer notes state that a 279-byte shellcode can be burned onto the storage medium that will run on 32-bit Windows systems. The documents note that Kaspersky antivirus (a top choice in Russia and elsewhere) can be bypassed in this way.
Smart TVs: The CIA and the British spies at MI5 have developed an attack known as Weeping Angel. This can put smart TVs – Samsung’s is mentioned – into a “Fake-Off mode,” which makes the device look like it’s powered down with its LEDs off. However, it’s still on and can now be used as a bugging device. The Wi-Fi keys the TV uses are also slurpable.
The exploit was developed and the documents show areas of interest that CIA hackers wanted to research, notably leaving Wi-Fi on and enabling video capture, get into caches of stored audio recordings, and setting up a man-in-the-middle attack against the television’s browser.
The TV is compromised via a USB stick inserted into the device, but the documents show that if the user has updated their operating system to firmware version 1118 and above then the hack won’t work. The documents also note that only 700MB of 1.6GB of onboard storage is available for spying uses.
IoT devices: It’s clear the CIA is looking actively at subverting Internet of Things devices with its Embedded Development Branch.
The documents here are somewhat scant, but from meeting notes in 2014 it’s clear that the analysts are looking at self-driving cars, customized consumer hardware, Linux-based embedded systems, and whatever else they can get their hands on.
Those Amazon Echo or Google Home devices are looking less and less attractive every day.
Other interesting snippets are that some of the documents contain the licence keys of software the CIA uses. These include keys for OmniGraffle graphic design software and the Sublime text editor, but in the latter case the 10-user licence key was listed as belonging to Affinity Computer Technology, a small computer repair shop in Sterling, Virginia.
We spoke to Affinity’s manager, Bill Collins, who checked out the page and pronounced himself baffled. They’re a small computer repair shop, he said, with no links to the CIA.
There are also some amusing touches. One analyst has included his favorite ASCII characters for conversing online with Japanese people, along with games he likes to play and some music suggestions. He or she also appears to be a Monty Python fan.