THE NSA, IT seems, isn’t the only American spy agency hacking the world. Judging by a new, nearly 9,000-page trove of secrets of the WikiLeaks, the CIA has developed its own surprisingly wide array of intrusion tools, too.
On Tuesday morning, WikiLeaks released what it’s calling Vault 7, an unprecedented collection of internal CIA files—what appear to be a kind of web-based Wiki—that catalog the agency’s apparent hacking techniques. And while the hoards of security researchers poring through the documents have yet to find any actual code among its spilled secrets, it details surprising capabilities, from dozens of exploits targeting Android and iOS to advanced PC-compromise techniques and detailed attempts to hack Samsung smart TVs, turning them into silent listening devices.
“It certainly seems that in the CIA toolkit there were more zero-day exploits than we’d estimated,” says Jason Healey, a director at the Atlantic Council think tank, who has focused on tracking how many of those “zero-days”—undisclosed, unpatched hacking techniques—the US government has stockpiled. Healey says that he had previously estimated American government agencies might have held onto less than a hundred of those secret exploits. “It looks like CIA might have that number just by itself.”
The leak hints at hacking capabilities that range from routers and desktop operating systems to internet-of-things devices. But it seems to most thoroughly detail the CIA’s work to penetrate smartphones: One chart describes more than 25 Android hacking techniques, while another shows 14 iOS attacks.
Given the CIA’s counterterrorism work—and the ability of a phone exploit to keep tabs on a target’s location—that focus on mobile makes sense, Healey says. “If you’re going to be trying to figure where Bin Laden is, mobile phones are going to be more important.”
The smartphone exploits listed, it’s important to note, are largely old. Researchers date the leak to sometime between late 2015 and early 2016, suggesting that many of the hacking techniques that may have once been zero days are now likely patched. The leak makes no mention of iOS 10, for instance. Google and Apple have yet to weigh in on the leak and whether it points to vulnerabilities that still persist in their mobile operating systems. Android security researcher John Sawyer says he has combed the Android attacks for new vulnerabilities and found “nothing that’s scary.”
He also notes, though, that the leak still hints at CIA hacking tools that have no doubt continued to evolve in the years since. “I’m quite sure they have far newer capabilities than what’s listed,” Sawyer says.
Targeting Android, for instance, the leak references eight remote-access exploits—meaning they require no physical contact with the device—including two that target Samsung Galaxy and Nexus phones and Samsung Tab tablets. Those attacks would offer hackers an initial foothold on target devices: In three cases, the exploit descriptions reference browsers like Chrome, Opera, and Samsung’s own mobile browser, suggesting that they could be launched from maliciously crafted or infected web pages. Another 15 tools are marked “priv,” suggesting they’re “privilege escalation” attacks that expand a hacker’s access from that initial foothold to gain deeper access, in many cases the “root” privileges that suggest total control of the device. That means access to any onboard files but also the microphone, camera, and more.
The iOS vulnerabilities offer more piecemeal components of a hacker tool. While one exploit offers a remote compromise of a target iPhone, the WikiLeaks documents describe the others as techniques to defeat individual layers of the iPhone’s defense. That includes the sandbox that limits applications’ access to the operating system and the security feature that randomizes where a program runs in memory to make it harder to corrupt adjacent software.
“Definitely with these exploits chained together [the CIA] could take full control of an iPhone,” says Marcello Salvati, a researcher and penetration tester at security firm Coalfire. “This is the first public evidence that’s the case.”
The leak sheds some limited light on the CIA’s sources of those exploits, too. While some of the attacks are attributed to public releases by iOS researchers, and the Chinese hacker Pangu, who has developed techniques to jailbreak the iPhone to allow the installation of unauthorized apps, others are attributed to partner agencies or contractors under codenames. The remote iOS exploit is listed as “Purchased by NSA” and “Shared with CIA.” The CIA apparently purchased two other iOS tools from a contractor listed as “Baitshop,” while the Android tools are attributed to sellers codenamed Fangtooth and Anglerfish.
In a tweet, NSA leaker Edward Snowden pointed to those references as “the first public evidence [the US government] is paying to keep US software unsafe.”
Internet of Spies
While the leak doesn’t detail the CIA’s attack techniques for desktop software like Windows and MacOS as explicitly, it does reference a “framework” for Windows attacks that seems to act as a kind of easy interface for hacking desktop machines, with “libraries” of vulnerabilities that attackers can swap in and out. It lists attacks that bypass and even exploit a long list of antivirus software to gain access to target desktop machines. And for MacOS, the document references an attack on computers’ BIOS, the software that boots before the rest of the operating system. Compromising that can lead to a particularly dangerous and deep-rooted malware infection.
“This is something we already know that can be done, but we haven’t seen it in the wild,” says Alfredo Ortega, a researcher for security firm Avast. “And by a government, no less.”
The most surprising and detailed hack described in the CIA leak, however, targets neither smartphones nor PCs, but televisions. A program called Weeping Angel details work in 2014 to turn Samsung’s smart TVs into stealthy listening devices. The research notes include references to a “Fake Off” mode that disables the television’s LEDs to make it look convincingly powered down while still capturing audio. Under a “to-do” list of potential future work, it lists capturing video, too, as well as using the television’s Wi-Fi capability in that Fake Off mode, potentially to transmit captured eavesdropping files to a remote hacker.
A tool called TinyShell appears to allow the CIA hackers full remote control of an infected television, including the ability to run code and offload files, says Matt Suiche, a security researcher and founder of the UAE-based security firm Comae Technologies. “I would assume that, by now, they would definitely have exploits for Samsung TVs,” Suiche says. “This shows that they’re interested. If you’re doing the research, you’re going to find vulnerabilities.” Samsung did not respond to WIRED’s request for comment.
The fact that the CIA mixes this sort of digital espionage with its more traditional human intelligence shouldn’t come as a surprise, says the Atlantic Council’s Healey. But he says the sheer volume of the CIA’s hacking capabilities described in the WikiLeaks release took him aback nonetheless. And that volume calls into question supposed limitations on the US government’s use of zero-day exploits, like the so-called Vulnerabilities Equities Process—a White House initiative created under President Obama to ensure that security vulnerabilities found by US agencies were disclosed and patched, where possible.
If Vault 7 is any indication, that initiative has taken a back seat to assembling a formidable array of hacking tools. “If the CIA has this many,” Healey says, “we would expect the NSA to have several times more.”