03/09/2017

WikiLeaks Vault7 Year Zero

WikiLeaks Vault7 Year Zero Vulnerabilities

What has happened

On Tuesday Wikileaks published what it described as the biggest leak ever of confidential documents from the CIA. The leak itself is called Vault7. The first episode in a series of planned publications is called “Year Zero”. In more than 8700 secret files, most of them dating from 2013 to 2016 it, describes the tools used by the CIA and shows in detail how CIA’s cyber experts engage in hacking.

Of course there is no confirmation at all from the CIA whether the leaked data is true or not. However the “Year Zero” documents indicate that CIA has powerful tools in their hands. And they should have as a state agency like CIA needs to protect citizens. In a computerized world it is inevitable that they have a powerful arsenal of cyber tools and cyber weapons.

Reading through the documents it becomes clear that a wide scope is covered. The CIA seems to be targeting just nearly everything: Windows, OS X, Linux, routers, smartphones, SmartTVs, Embedded devices, Industrial Control systems, vehicle control etc. That entails plenty of code (“several hundred million lines of code”, “more code than that used to run Facebook”) and many coworkers (“more code than that used to run Facebook”). So let’s have a look at a couple of the highlights in Wikileaks’ Vault7.

Let’s start with the organizational structure. CIA’s Center for Cyber Intelligence (CCI) comprises several groups (See Org Chart) . The most interesting of them is the Engineering Development Group (EDG). It runs more than 500 projects. Different subgroups deal with all the topics mentioned above. Here’s a selection:

·         Automated Implants Branch (AIB): infecting devices and spreading code

·         Mobile Development Branch (MDB): hacking mobile devices and smartphones

·         Embedded Devices Branch (EDB): hacking cars, industrial control systems and other IoT gear

·         Network Devices Branch (NDB): hacking routers and other network devices

Smart devices as a target

The wide scope of attacked devices is not limited to PCs and network devices. “CIA malware targets iPhone, Android, smart TVs”. They seem to have several exploits for iOS and Android and by that they can sideload (or install) other apps (or programs) which are e.g. able to intercept encryption.  “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied.”

In an operation coined Weeping Angel, CIA and the British MI5/BTSS implemented a “Fake-Off” mode for Samsung Smart TVs. When activated the TV just looks like it is switched off. But the camera and the microphone still records data. This effectively turns a SmartTV into a Orwell style televisor. Hacking a Smart TV doesn’t look that easy. There have been examples where Android apps infected Smart TV’s  but in the CIA files physical access with a USB device seems to be necessary. There is no evidence of them doing so remotely over the Internet. Samsung has reacted and is already looking into the possible bug.

Other targets and detection evasion

The CIA has several strategies to evade detection and analysis. It utilizes encryption where useful. There are ways to evade and defeat security products (including G DATA’s) and forensic tools. There are also several means to covertly transmit data to the machine or away from it. This comprises using Alternate Data Streams (Brutal Kangaroo), unused space inside files and hiding data inside images.

One of the target technologies are routers and other “Network Devices (including but not limited to SOHO routers)”. This is a consequent step as routers are core technology for network access and flaws in their firmware or software can be very beneficial for agencies.

The CIA is also looking at Industrial Control Systems (SCADA). There are special tools to spread malware to systems that are isolated from the internet. Removable USB-devices (“FineDining”) and CD/DVD tools called “HammerDrill”  can be used to infect and misuse isolated machines.

It is also mentioned that “Vehicle System (e.g. VSEP)” are a potential mission area. Car hacking could be beneficial for both abusing cars as weapons and for spying at the conversations inside cars.

Connecting the dots

Putting all together this is what shows up:

·         CIA hoards Zero-Day exploits for a wide range of operating systems, firmwares, and software.

·         It has special methodologies to circumvent established security software and network protection

·         There are mechanisms to circumvent encryption on smartphones

·         There are sophisticated methods to steal and exfiltrate data

·         The area of activities is not limited to PCs and smartphones. It comprises all smart interconnected devices in the Internet of Things, Industrial Internet of Things and Smart Vehicles.

Context and perspective

So what does this all mean for me and my business? Actually most of this is not new, it doesn’t break encryption itself and its sophistication has been doubted. An initial investigation conducted by security firms indicates that the CIA’s capabilities may not be as advanced as some have supposed. The Vault 7 “Year Zero” revelations are no surprise to security experts. Access to 'smart' devices was already considered a logical step in this development. More than four years ago we already pointed out this problem. Everything that is needed for a comprehensive and complete monitoring of private rooms by state bodies or criminals, can be achieved via software. The programs used in the devices and operating systems provide sufficient opportunities for remote access and deep intervention in the privacy of the users. The often quoted "I have nothing to hide but" becomes a bitter and ironic reality through the secret service (ab)use of the possibilities of the devices.   For years, secret services have been actively looking for security gaps in software and hardware. It is also to be assumed that in addition to researching these security gaps by the intelligence services itself, an active purchase of so-called high-potential exploits is also taking place in the digital black market. However, this isn’t the end yet: The collection of ideas found in the documents contains far more terrifying cyber tools, from the reading of access data to the registration of WLAN passwords. Some of the tools could be applied as cyber weapons. Some of the new insights will cause changes in best-practice. We will provide more information, when we’ve worked through all documents. Irrespective of the current Wikileaks revelations, all devices connected to the Internet can offer attack points that can be exploited by intelligence services or cyber criminals. The only way to handle this in the long run seems to be security by design. Vault 7 points out that we are not there yet.

Homework needs to be done

Irrespective of the current Wikileaks revelations, all devices connected to the Internet can offer attack points that can be exploited by intelligence services or cyber criminals. The only way to handle this in the long run seems to be security by design. Vault 7 points out that we are not there yet.

So what do we do in the meantime? What is the role of security solutions and their providers in this context? We (i.e. G DATA and probably most other players in the security industry) might have seen CIA tools in the past and might have created detection for it already without knowing. G DATA is very happy about the leaked information. It helps us to identify weak points in our protection model. We can update our risk models now that we know that some vague threats are now to be considered real risks that need dedicated handling. We will continue working through the “Year Zero” documents and the upcoming revelations of Vault 7 as soon as they appear. We will do our homework and will find ways to better protect our customers. We are pretty sure that our products will stay resistant in the battle of the internet no matter if it comes from nation-state spies or cybercriminals.