Sunday, 12 March 2017

That CIA exploit list in full: The good, the bad, and the very ugly

We're still going through the 8,761 CIA documents published on Tuesday by WikiLeaks for political mischief, although here are some of the highlights.
First, though, a few general points: one, there's very little here that should shock you. The CIA is a spying organization, after all, and, yes, it spies on people.
Two, unlike the NSA, the CIA isn't mad keen on blanket surveillance: it targets particular people, and the hacking tools revealed by WikiLeaks are designed to monitor specific persons of interest. For example, you may have seen headlines about the CIA hacking Samsung TVs. As we previously mentioned, that involves breaking into someone's house and physically reprogramming the telly with a USB stick. If the CIA wants to bug you, it will bug you one way or another, smart telly or no smart telly. You'll probably be tricked into opening a dodgy attachment or download.
That's actually a silver lining to all this: end-to-end encrypted apps, such as Signal and WhatsApp, are so strong, the CIA has to compromise your handset, TV or computer to read your messages and snoop on your webcam and microphones, if you're unlucky enough to be a target. Hacking devices this way is fraught with risk and cost, so only highly valuable targets will be attacked. The vast, vast majority of us are not walking around with CIA malware lurking in our pockets, laptop bags, and living rooms.
Thirdly, if you've been following US politics and WikiLeaks' mischievous role in the rise of Donald Trump, you may have clocked that Tuesday's dump was engineered to help the President pin the hacking of his political opponents' email server on the CIA. The leaked documents suggest the agency can disguise its operations as the work of a foreign government. Thus, it wasn't the Russians who broke into the Democrats' computers and, by leaking the emails, helped swing Donald the election – it was the CIA all along, Trump can now claim. That'll shut the intelligence community up. The President's pet news outlet Breitbart is already running that line.
Back to the leaked files. One amusing page gives details of discussions within the CIA on how to avoid having its secrets leak in the wake of the theft of the NSA Equation Group's hacking tools. Along with a detailed report [PDF] on the Equation Group hack, there are suggestions on how to protect resources.
The CIA and the White House have yet to comment on the veracity of the leaked material and are unlikely to do so. But at least one former intelligence worker with knowledge of such matters seems convinced they are real.
So here's a rundown of the highlights so far. With so much material to go through, some important things will have been missed. Feel free to add your own insights in the comments section. We note that a good number of these cyber-weapons were obtained from the NSA, GCHQ or private computer security researchers, and hoarded without warning vendors in case vulnerabilities are patched – we've covered this subject over and over.
  • Windows: The CIA's UMBRAGE team has a modest collection of attack tools for systems powered by Microsoft's widely used operating system, all listed here. These tools include keystroke loggers, sandbox escape ropes, and antivirus avoidance mechanisms. The CIA analysts found flaws in Control Panel, and the ability to add data streams to NTFS without detection to smuggle data onto storage drives. Windows library files are useful stepping stones to malicious code execution, as are Windows Theme files. DLL files [PDF] are a popular attack vector for the CIA PDF]. They are also handy for concealing malware in applications, and the documents show that common apps have been used for spying by exploiting DLL weaknesses.
    One DLL attack technique shows that someone at the agency is a bit of a Will Ferrell fan. The RickyBobby program, named after the character in the film Talladega Nights, uses several .NET DLLs and a Windows PowerShell script to implant a "listening post" on a target Windows PC.
    A version has been used in the field on USB drives, according to this document. The software, with attack tools dubbed Fight Club, was put onto six thumb drives and "inserted into the supply chain of a target network/group."
    If you're using Windows Exchange 2010, the CIA has a tool for that, dubbed ShoulderSurfer. This performs a code injection attack against the Exchange Datastore manager process that would allow an agent to collect emails and contacts at will and without the need for an individual's credentials.
    Exchange 2007 is even easier to crack, according to the CIA. For a detailed rundown on Exchange and all its flaws, this document [PDF] should be helpful to Microsoft engineers looking to fix the problems.
  • OS X: Users of Apple's OS X shouldn't look too smug, however. The CIA has tools for you too – pages of them. A lot of hacking tools cover OS X El Capitan, but presumably these have been updated to subvert new versions of the operating system. That said, it does seem through reading these files that Apple poses a significantly more difficult challenge for the CIA than Redmond's code.
    Analysts note that the operating system can be resilient to applications that try to slip malware onto a Mac. But it's still possible to whitelist spying software; subvert NetInstall images, creating zombie programs; and surreptitiously get at the kernel.
    One interesting project the files touch on is dubbed QuarkMatter. This is a technique for hiding spying software persistently on an OS X system by using an EFI driver stored on the EFI system partition. Another, dubbed SnowyOwl, uses a pthread in an OpenSSH client to potentially pull off remote monitoring of a target system.
    The documents also show a project called HarpyEagle that analyzed Apple's Airport Extreme firmware for private keys, and also Time Capsule systems.
  • iOS: The CIA files show an extensive list of iOS exploits. Some of these were developed in-house, some obtained from the NSA or Britain's GCHQ, and others were purchased from private vendors. It looks as though at least some of the security bugs were fixed by Apple in recent iOS updates – versions 8 and later – or are otherwise no longer exploitable. For instance, the Redux sandbox workaround and Xiphos kernel exploit were both used to hack "iPhone 4S and later, iPod touch (5th generation) and later, iPad 2 and later," but both flaws were fixed after being publicized by the Chinese jailbreaker Pangu. While it's likely the exploit list is an old one, a lot of them may still work. iOS 8 appears to have killed off a few, but most of the exploits don't have death dates listed.
    The Dyonedo exploit, developed by GCHQ, allows unsigned code to run on iOS devices, while the CIA's homegrown Persistence tool allows "a symbolic link [to] be created (on iOS 7.x) or an existing file can be overwritten (iOS 8.x) that will run our bootstrapper, giving [users] initial execution on every boot."
    While full root is a goal, the documents also detail an attack known as Captive Portal. This sets up the browser to route all web use through a server run by the CIA.

No comments:

Post a Comment