A concerted effort by the CIA produced a library of software attacks to crack into Android smartphones and Apple iPhones, including some that could take full control of the devices, according to documents in a trove of files released by WikiLeaks Tuesday.
The attacks allow for varying levels of access — many powerful enough to allow the attacker to remotely take over the “kernel,” the heart of the operating system that controls the operation of the phone, or at least to have so-called “root” access, meaning extensive control over files and software processes on a device. These types of techniques would give access to information like geolocation, communications, contacts, and more. They would most likely be useful for targeted hacking, rather than mass surveillance. Indeed, one document describes a process by which a specific unit within the CIA “develops software exploits and implants for high priority target cellphones for intelligence collection.”
The WikiLeaks documents also include detailed charts concerning specific attacks the CIA can apparently perform on different types of cellphones and operating systems, including recent versions of iOS and Android — in addition to attacks the CIA has borrowed from other, public sources of malware. Some of the exploits, in addition to those purportedly developed by the CIA, were discovered and released by cybersecurity companies, hacker groups, and independent researchers, and purchased, downloaded, or otherwise acquired by the CIA, in some cases through other members of the intelligence community, including the FBI, NSA, and the NSA’s British counterpart GCHQ , the documents indicate.
One borrowed attack, Shamoon, is a notorious computer virus capable of stealing data and then completely destroying hardware. Persistence, a tool found by the CIA, allows the agency control over the device whenever it boots up again. Another acquired attack, SwampMonkey, allows CIA to get root privileges on undisclosed Android devices.
“This is a very impressive list,” tweeted former GCHQ analyst Matt Tait, noting that at least some of the attacks appeared to still be viable.
Matt Green, cryptographer at Johns Hopkins University, agreed the leak was “impressive,” but concluded there weren’t many “technically surprising” hacks. This lack of originality may have stemmed from a desire on the part of the agency to avoid detection, judging from one document contained in the trove, in which apparent CIA personnel discuss an NSA hacking toolkit known as Equation Group and its public exposure. It was also previously known that the CIA was targeting smartphones; drawing on top-secret documents, The Intercept in 2015 reported on an agency campaign to crack into the iPhone and other Apple products.
In addition to the CIA’s efforts, an FBI hacking division, the Remote Operations Unit, has also been working to discover exploits in iPhones, one of the WikiLeaks documents, the iOS hacking chart, indicates. Last February, while investigating the perpetrator of a mass shooting in San Bernardino, the FBI attempted argued in court that Apple was obligated to give the FBI access to its phones by producing a weakened version of the device’s operating system. If the WikiLeaks documents are authentic, it would appear FBI and other elements of the intelligence community are already deeply involved in discovering their own way into iPhones. The compromise of the documents also calls into question government assurances in the San Bernardino case that any exploit developed by Apple to allow the FBI access to the killer’s phone would never be exposed to criminals or nation states.
The CIA and FBI hacking revelations originate with a trove of more than 8,000 documents released by WikiLeaks, which said the files originated from a CIA network and date from 2013 to 2016. The CIA declined to comment on the documents, which also disclose techniques the CIA allegedly developed to turn so-called smart televisions into listening devices. Apple did not respond to a request for comment, and Google declined to comment, though indicated it was actively investigating the revelations.
It’s unclear who might have given WikiLeaks access to the documents; a summary of the material hosted on the site implies it came from a whistleblower who “wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.” But the leaker could also be an outsider, including one employed by a foreign power.
“This could be as much about Russia as CIA or WikiLeaks,” tweeted Jason Healey, Senior Research Scholar at Columbia University’s School for International and Public Affairs “A continuation of teardown of U.S. government.”
German iOS security researcher Stefan Esser, according to a chart in the file database, developed an iOS exploit named “Ironic,” which gives access to the operating system kernel — though the hack “died” when iPhones were updated to iOS8, the chart appears to indicate. Esser, in an email to The Intercept, said he is not one to comb through classified documents or comment on them — but noted CIA had apparently “used public research of mine about a vulnerability that Apple required four attempts at fixing” in iOS. Esser’s bug was already public when CIA included it in its database. He also noted that a training slide he presented during a security conference in 2015 was also included in the dump.
WikiLeaks discussed, without referring to any specific document, access levels CIA has to encrypted applications, including popular Open Whisper Systems’ application Signal — though the documents do not indicate CIA has broken the app’s end-to-end encryption. Rather, it suggests the CIA can “bypass” the encryption by hacking into the phone itself, then reading everything on it, including data stored within any app — including messages from Telegram, WhatsApp, and other secure messaging apps. If a phone itself is compromised, there’s little to be done to prevent an attacker from accessing what’s on it.
Some of the attacks are what are known as “zero days” — exploitation paths hackers can use that vendors are completely unaware of, giving the vendors no time — zero days — to fix their products. WikiLeaks said the documents indicate the CIA has violated commitments made by the Obama administration to disclose serious software vulnerabilities to vendors to improve the security of their products. The administration developed a system called the Vulnerabilities Equities Process to allow various government entities to help determine when it’s better for national security to disclose unpatched vulnerabilities and when it’s better to take advantage of them to hunt targets.
At least some civil liberties advocates agree with the WikiLeaks assessment. “Access Now condemns the stockpiling of vulnerabilities, calls for limits on government hacking and protections for human rights, and urges immediate reforms to the Vulnerabilities Equities Process,” Nathan White, senior legislative manager for digital rights group Access Now, wrote in response to the new leak in a press release.