Reg comments168

That CIA exploit list in full: The good, the bad, and the very ugly

We went through 8,000 documents so you don't have to

  • Android: There's a much longer list for Android exploits than that for its Cupertino cousin's operating system.

    There are exploits such as Chronos and Creatine that attack specific flaws in Qualcomm Adreno GPU drivers, and others like Starmie and Snubble only work against specific Samsung handsets. There are also a lot of Chrome-based attacks for Android that will only work on older versions of the browser. There's a full list of version histories here.

    There are also three implants listed – Bowtie, SuckerPunch, and RoidRage. The release notes for RoidRage show it can monitor all radio functions and allows SMS stealing.

    While the bulk of the exploits listed allow for escalation of privileges, allowing malicious apps to gain more or total control of the infected device, there are some like BaronSamedi, Dugtrio, and Salazar that allow for remote access. Many of these have been shut down on phones running Android version 4.4 and higher, but bear in mind this list is three years old and the revised grab bag of exploits currently in use could be more effective against more modern Android builds.

  • Antivirus: The CIA stash contains rundowns on most of the popular antivirus systems and how to defeat them. Much of the information has been redacted but there are a few snippets left.

    The documents note that evading F-Secure's detection mechanisms is possible, but that the software has a pretty good heuristics engine that can pick up Trojan software. The agency has devised two ways around this using RAR file string tables or cloning a RAR file manifest file.

    Avira has similarly good heuristics, the files note, but two similar attacks appear to work. Avira is a high-value target, since the documentation notes that it is popular among counter-terrorism targets.

    Bitdefender's heuristic engine has also caused the CIA some problems when it comes to detecting the agency's malware. However, one file notes: "cleartext resources or simple RXOR-ed resources don't seem to cause Bitdefender to trip."

    Comodo's code is described as a "giant PITA" for its malware detection capabilities. However, it has a weak spot and doesn't scan the contents of the Recycle Bin. The notes say malware can be stored safely here, but may be detected if run.

    Ever since version six of Comodo's code, things have become a lot easier and the CIA has an exploit dubbed the Gaping Hole of DOOM. That version ignores malware that it thinks is part of the Windows core operating system.

    "Anything running as SYSTEM is automatically legit under 6.X. ANYTHING," the document states. "Let that sink in. Got a kernel-level exploit? Good, because you can drop the kitchen sink and the contents of your garage and as long as you continue to run as SYSTEM you are golden. Yeah."

    Details on AVG are sketchy, but the CIA trove indicates at least two ways to defeat the security software. These include a fake installer and malware that can be dropped onto a system and activated by a specific web link.

    Antivirus code and other programs can also be targeted by a series of tools developed under the moniker WreckingCrew. The vast majority of these were under development, but two were finished and could be used to shut down security software and to "troll people."

  • Signal/WhatsApp: In some good news for privacy advocates it appears that the CIA has had no luck in cracking the popular encrypted chat protocol created by Whisper Systems, which is used in Signal and WhatsApp.
  • CD/DVD attacks: There are still plenty of people in the world using CDs and DVDs, so the CIA has developed code called HammerDrill to exploit the storage medium.

    Version two of the software allows an infected computer to log what CDs and DVDs are being read by the user, for how long, and the data they contain. The CIA also added a function in the second build that allows it to install a hidden Trojan in new discs being burned, if the target is using the popular Nero burning software.

    The developer notes state that a 279-byte shellcode can be burned onto the storage medium that will run on 32-bit Windows systems. The documents note that Kaspersky antivirus (a top choice in Russia and elsewhere) can be bypassed in this way.

  • Smart TVs: The CIA and the British spies at MI5 have developed an attack known as Weeping Angel. This can put smart TVs – Samsung's is mentioned – into a "Fake-Off mode," which makes the device look like it's powered down with its LEDs off. However, it's still on and can now be used as a bugging device. The Wi-Fi keys the TV uses are also slurpable.

    The exploit was developed and the documents show areas of interest that CIA hackers wanted to research, notably leaving Wi-Fi on and enabling video capture, get into caches of stored audio recordings, and setting up a man-in-the-middle attack against the television's browser.

    The TV is compromised via a USB stick inserted into the device, but the documents show that if the user has updated their operating system to firmware version 1118 and above then the hack won't work. The documents also note that only 700MB of 1.6GB of onboard storage is available for spying uses.

  • IoT devices: It's clear the CIA is looking actively at subverting Internet of Things devices with its Embedded Development Branch.

    The documents here are somewhat scant, but from meeting notes in 2014 it's clear that the analysts are looking at self-driving cars, customized consumer hardware, Linux-based embedded systems, and whatever else they can get their hands on.

    Those Amazon Echo or Google Home devices are looking less and less attractive every day.

Other interesting snippets are that some of the documents contain the licence keys of software the CIA uses. These include keys for OmniGraffle graphic design software and the Sublime text editor, but in the latter case the 10-user licence key was listed as belonging to Affinity Computer Technology, a small computer repair shop in Sterling, Virginia.

We spoke to Affinity's manager, Bill Collins, who checked out the page and pronounced himself baffled. They're a small computer repair shop, he said, with no links to the CIA.

There are also some amusing touches. One analyst has included his favorite ASCII characters for conversing online with Japanese people, along with games he likes to play and some music suggestions. He or she also appears to be a Monty Python fan.

There is no way to read the entire archive in a day. If you are a developer or a technology vendor, it's worth going through the archive. We suspect a lot of companies have been doing little else all day. ®

Sign up to our Newsletter

Get IT in your inbox daily

Biting the hand that feeds IT © 1998–2017