mardi 7 mars 2017

WikiLeaks Reveals CIA Built Collection of Zero-Day Android Exploits, Then Lost Control of It

If you regularly follow around international news, you might have heard the name 'WikiLeaks' thrown around. WikiLeaks in a non-profit organization that publishes secret information and news leaks, focusing on political and current affairs among other areas as well. A lot of what WikiLeaks publishes reaches front pages around the world, and for good reason too.

Today, WikiLeaks has begun a new series of leaks on the U.S. Central Intelligence Agency (CIA), codenamed as "Vault 7". The first part of the series called "Year Zero" comprises of 8,761 documents and files from an isolated, high-security network situated inside CIA's Center for Cyber Intelligence. The CIA recently lost control of the majority of its hacking arsenal which included malware, trojans, weaponized "sero day" exploits, malware remote control systems and more. This collection has the capability of giving its possessor the entire hacking capacity of the CIA.

"Year Zero" introduces CIA's global covert hacking program, its malware arsenal and "dozens of zero day weaponized exploits" against a wide range of products and Operating Systems, including Android. For the scope of this article, we will be focusing on Android primarily, which is present on 85% of devices around the world.

As WikiLeaks says in their press release:

"Year Zero" shows that as of 2016 the CIA had 24 "weaponized" Android "zero days" which it has developed itself and obtained from GCHQ, NSA and cyber arms contractors.

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied.

WikiLeaks mentions that the time period covered in these leaks is 2013-2016. "Year Zero" itself was obtained recently and covers through 2016. These documents appear to be pulled from an internal Wiki of the CCI, but are littered with redactions extending on to even archive attachments.

The Android related zero day vulnerabilities lead us to this page where they are detailed further.

The leaks from WikiLeaks do make it clear that the U.S. government did actively work towards researching and collecting various exploits against a plethora of different Operating Systems and hardware. The leaks relate primarily to the US government, but that does not mean that only the US government organized such activities. Citizen surveillance can be expected out of any governments (to some degree), irrespective of how heavily dressed up in the garb of "national security" their interest may be.

With that being said, we do need to take a closer look at the Android exploits talked about before getting anxious or alarmed. The "zero day" exploits mentioned in the leaks related to older hardware and software, with many of these devices no longer being sold or supported. A zero day exploit is one wherein the existence of a vulnerability is unknown to the vendor, a fact that the hacker exploits to take control before the vendor can find out and patch the backdoor. But in several of these cases, vendors will not rush to patch in the now-disclosed vulnerability simply because the affected product is too outdated to be of any consequence.

For example, the 'Dugtrio' Remote Access Vulnerability affects devices running Android versions 4.0 and 4.1.2. The Freedroid vulnerability affects Android 2.3.6 – 4.2 and is deemed unreliable in Android 4.3 -4.4. The Flameskimmer vulnerability affects Android 4.4.4, but also requires the device to have a Broadcom WiFi chipset. The Spearrow Remote Info Leak exploit requires Android 4.1.2, but also appends a '?' at the end, which we presume to indicate unreliability in success rates. For reference, Android 4.3 and below is present on 13.3% of Android devices as per the latest distribution numbers, while Android 4.4 adds on 21.9% (but note the existence of specific hardware as a requirement).

Further, several of these exploits target specific devices, but such devices are old and not easily seen in the market today. For example, the Colobus exploit targets devices with Adreno 225 (Snapdragon S4 Plus) and Adreno 320 (Snapdragon 600), GPUs that can be found on dated phones like the Sony Xperia Z, the Samsung Galaxy S4 i9505 and the HTC One (M7).  The Simian exploit affects MSM8974 (Snapdragon 800) devices

Perhaps the most relevant of these exploits are Galago, Snubble and Sulfur. Galago affects a few variants of the Samsung Galaxy Note 4. But even then, the detail page mentions two build numbers affected (namely KTU84P.N910HXXU1ANK5 for the SM-N910 and KTU84P.N910SKSU1ANK8 for the SM-N910S. Snubble on the other hand affects the Samsung Galaxy S5 on build KOT49H.G900HXXU1ANCD, Galaxy Note 3 on KOT49H.N900W8UBUCNC1 and Galaxy S4 on KOT49H.I9500UBUFNB3. Some more builds of the Samsung Gaaxy Note 4 are affected by Sulfur.

Even on specific applications, EggsMayhem affects "Chrome version 32-39 (present)", but Chrome version 39 which is stated as "present" was released back in late 2014.


The leaking of the existence of citizen surveillance techniques is certainly a cause of worry for citizens. First and foremost, it infringes on the very basic right to privacy, which the United States Constitution in particular guarantees through the Fourth Amendment. Giving the government unrestricted and unmonitored control over our personal lives is a thought that would not sit well with many of us, and leaks like these make matters even more worrying given such consent was never given implicitly nor explicitly.

What we would like to urge readers is to take a level-headed approach to the leaks. These leaks show sinister government behavior, and we are with you on this, but before getting anxious or paranoid keep in mind that many of these affect a small portion of the total Android users as they target outdated hardware and unsupported software, both of which are several generations behind. The leaks insists on being current, but the affected vectors belong more to 2014 than they do to 2016. The sensationalism used by WikiLeaks in their press release (evidenced by the citation below) is unsupported by their leaked information as far as Android is concerned.

Further,

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied.

With regards to this particular statement in the leaks, there is no indication on the Android side of things that any of these applications and their security was specifically affected. What is indicated is that the integrity and security of the device itself was compromised, which then opened up an access route for hackers to sniff and collect information from these applications before the information was encrypted. There is no indication that the encryption on these services was broken and their security compromised at the service level.

We do go into the territory of speculation here to present a balanced picture. It is possible that the internal CCI wiki page that was leaked was out-of-date when it was retrieved, or subsequently became out-of-date due to time lapse in presenting to the world audience. There is also a possibility that newer and more relevant zero-day exploits were not added to the wiki to protect it from leaks like this one. Another possibility, since the government actively worked to find and document such exploits in the past, is that it continues to do so in the present but hasn't had as much success as device security is enhanced. But even if the government does find it, there is very little chance the existence of such an exploit will be made public knowledge consciously by the government itself, so do remain skeptical.


The leaks from WikiLeaks has opened a can of worms and put digital security in the modern world back into the spotlight. While the broader topic does rightfully invite heated discussions, our current Android devices may very well remain largely uncompromised. However, the XDA team takes security seriously, so please do look into ways in which you can secure your data wherever possible — you'd be surprised as to how a few small time investments can protect your privacy.

What are your thoughts on the WikiLeaks "Year Zero" leaks? Let us know in the comments below!

Source: WikiLeaks Vault 7 Press Release



from xda-developers http://ift.tt/2nbsBCn
via IFTTT

Aucun commentaire:

Enregistrer un commentaire