American intelligence has once again been caught with its pants down, this time by Wikileaks. Known for publishing secret and classified information, Wikileaks yesterday published a huge tranche of CIA documents, calling them Vault7, detailing how the security agency hacks smartphones, tablets and even smart televisions.
Before we begin with what the headline suggests this story is about, it is worth noting that most of the smartphone hacks mentioned in the documents, date back to between 2015 and 2016. This means they may have been plugged by companies already, although in the same way, the CIA may also have improved its techniques by now.
Phones and tablets are obvious targets for security agencies like the CIA. Given their massive penetration into various markets, and the treasure trove of information they carry on a person, these make for the perfect tools for surveillance. The Wikileaks documents detail 25 exploits for Android-based smartphones, while there are 14 for iOS-based devices.
Amongst these are techniques that allow the CIA “root” access to your phone, on Android. This means a hacker can gain superuser access to your phone, and access every bit of information on it. That includes your personal photos, files and even the cameras on your phone or tablet. References to “root” appear seven times amongst the Android exploits.
Further, six Android exploits grant the attacker (the CIA) remote access to users’ device(s), meaning there needs to be no physical contact for the hack. Various versions of Google Chrome, Opera browser and Samsung’s mobile browser are listed amongst the hack, suggesting that the holes are through these apps. Versions 32-39 of Chrome browser are listed, along with version 28.0.1500.94.
Moving on, you’ll find two exploits, called LugiaLight and Nightmonkey, affect MSM devices on 4.4. That’s presumably a reference to Qualcomm’s SoCs, which usually have MSM on their model numbers. 4.4 most likely refers to the version of Android KitKat. In fact, Livestrong, the exploit listed right above LugiaLight and Nightmonkey, has Android 4.4 KitKat mentioned, explicitly. The same is true for Flameskimmer, but that seems to affects devices with Broadcom’s WiFi chipsets only.
You will also see references to various Samsung devices, including SM-N910 and SM-910S, which are different versions of the Galaxy Note 4 smartphone. The Samsung Galaxy S5, Galaxy S4, Note 3, Galaxy Tab 2 and many others are also mentioned in other exploits.
An exploit called Dugtrio, evidently named after the Pokemon, affects “newer Samsung devices”, but it isn’t guaranteed. Chronos and Creatine are two exploits that affect Adreno 225 and 320 GPUs on the Nexus 7 tablet, running Android 4.4.2.
The last Android hack, called T2 (presumably a reference to Terminator 2), compromises operating systems before June 2014.
Our queries to Google about these hacks haven't been answered yet.
Much like the Android hacks, none of the iOS hacks reference iOS 10, Apple’s newest operating system, running on over 70% of its devices right now. In fact, we spotted only two instances of iOS 9 (iOS 9.1 and 9.2) in Wikileaks’ documents. In addition, none of the iPhone hacks seem to grant superuser/root access to the attacker. However, it is possible that combined usage of these exploits will give an attacker complete control of an iPhone or iPad.
One of the iOS exploits also points towards granting remote access to attackers. The exploit, called Earth/Eve, was purchased by the NSA and ported by the GCHQ.
Another exploit, called Rhino, “reads KEXT info”. While we aren’t quite sure yet, KEXT does refer to kernel extension files on Apple’s devices, which gives some indication to where the attack is aimed at.
Looking at the documents, they seem to reinforce the fact that Apple’s devices are tougher to hack into, than Android. To its credit, Apple has already clarified that many of the exploits mentioned in the Wikileaks document have been patched in its latest OS, while the company is working to plug the remaining holes as well. "Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates," said Apple.
Samsung Smart TVs
Hacking smart TVs seems limited to Samsung’s smart televisions right now. The documents specifically reference the Samsung F8000 smart TV, an older television, running one of Samsung’s in-house operating systems. It is unclear whether this is an older version of Tizen, which powers the company’s current Smart TVs.
A particular hack, called Weeping Angel, talks about a “fake-off” mode, which turns off the LEDs on the TV, thereby making it look like the TV is off. However, it continues to record audio in the background, effectively turning it into a huge bug to listen in on conversations. Samsung’s open source, SamyGo project has also been mentioned in the documents. “There are several utilities that may be useful in the SamyGo toolset (i.e. tcpdump),” says one of the Weeping Angel documents.
“This is actually a physical attack,” explained Rahul Tyagi. The “fake-off” mode requires the attacker to press certain keys on the remote, like Mute+182+Power Off, which turns the screen off. Pressing these keys will turn off the “auto-updates” option on these TVs, and the audio recorded will no longer be encrypted, Tyagi said. Thereon, the CIA can send this audio to its servers, since the TV is already connected to the Internet. Tyagi is a security expert and VP of Lucideus, an IT Risk Management and Digital Security Services provider.
It is worth noting that Weeping Angel is applicable only to devices from 2012 and 2013, that too, if they haven’t been updated yet. Tyagi says if your TV is amongst the model numbers listed below, you should check the auto-updates option. If it is turned off, then you’re most likely compromised already. Samsung hasn't yet responded to our queries.
Model Numbers: UNF7500 series, UNF7000 series, UNF8000 series, UNF8500 series, UNES8000F series, E8000GF and UNES7550F.
Firmware Numbers: 1111, 1112, 1116
PCs and Macs
While the information on PCs and Macs pale in comparison to what the CIA is doing with phones and TVs, there’s still something there. The Vault7 press release says the the CIA runs “substantial efforts” to infect and compromise Microsoft Windows users. The agency’s arsenal includes viruses that infect USBs, CDs and DVDs, and ways to hide information in “covert disk areas”.
The agency also has malware attacks for Apple’s macOS. However, much like it was with phones and TVs, none of the information pertains to current devices. However, Windows, macOS, OS X, Solaris and Linux and others are within the agency’s purview. We found references to a BIOS attack for the Mac, while there’s a list of libraries that can be used for Windows attacks, as well.
The PC hacks are of course underscored by the sizeable list of anti-virus software mentioned in the documents. The CIA can apparently compromise big names like AVG, Avast, F-Secure, Norton and more.