Thursday , March 23 2017

Wikileaks release details of CIA mobile OS hacks : nothing new here, move along


This morning we awoke to news of Wikileaks releasing thousands of documents detailing the CIA and their involvement with hacking Android (and other OSes). Most of the mainstream media sites picked it up, which Wikileaks loved of course, but none of them put it into context. Here is the context — the documents themselves mean nothing.

I follow a lot of white-hat security “hackers” on Twitter and reading over my thread made me realise that this is all sensationalism by Wikileaks and the mainstream media.

Their press release also does it’s best to make their leaks seem relevant:

A similar unit targets Google’s Android which is used to run the majority of the world’s smart phones (~85%) including Samsung, HTC and Sony. 1.15 billion Android powered phones were sold last year. “Year Zero” shows that as of 2016 the CIA had 24 “weaponized” Android “zero days” which it has developed itself and obtained from GCHQ, NSA and cyber arms contractors.

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.

Looks scary right? Call them zero-days and everyone panics. A zero-day is a vulnerability or exploit that is unknown to the software manufacturer or to antivirus vendors. According to well known Android security researcher, Jon Sawyer, a few of the Android bugs are known already (not zerodays in other words) while others appears to be old. Via his Twitter account he goes on to say that the material released by Wikileaks is “OLDDDDDDDDDDDDDDDDDDDDD and misrepresented”. Nothing leaked by Wikileaks is significant….. anymore.

If you are indeed interested in reading some more regarding the truth from security researchers about this leak I suggest you head to the Erratasec website. Of note is that the CIA are not hoarding zero-days and what they are doing is straightforward hacking using exploits that can be found on the Internet if you know where to look.

The leaks do attribute some known viruses as having originated with the CIA and now anti-viruses can be created to defeat the CIA efforts. What we should be worried about is in the following response from Jon Sawyer:

So while the leaks mean nothing, as all of them are known and most have been plugged already, it signals something else — that governments are actively attempting to circumvent mobile operating systems around the world. I doubt this comes as much of a surprise to most of you.

While some people say that they have nothing to hide and it does not worry them, you can be sure that if governments are doing this then there is no doubt there are people using the same exploits for nefarious reasons. Be it your personal information, your bank details or something else, no one wants an unknown entity rifling through the data on their phones.

How can you prevent this from happening? Buy phones that receive regular security updates. Google are patching security holes every month in Android and roll them out to their devices that same month usually. Can the same be said for all manufacturers? Unfortunately not. If this concerns you find out how well a company performs with their security updates when you consider your next purchase.

The other thing you can do to help prevent yourself being a victim of an attack is to only install software from the Google Play Store. Google hunt through each and every app on the Play Store to prevent them from infecting your phone. Common sense is the name of the game.

So while the sky is NOT falling and Wikileaks’ trove of materials released today are old, outdated and no longer significant by themselves, it signifies a greater problem we should all be aware of — cybersecurity. Be safe with your use. Install apps only from trusted sources such as the Google Play Store and buy phones that receive regular security updates.

 
Source: Jon Sawyer, Zuk, and Erratasec.

Scott Plowman   Senior Associate

  • Pumpino

    Very few manufacturers provide monthly patches. Samsung seems to for most models, and Sony isn’t bad. However, the only way I’ve found to receive prompt and regular patches is to run LineageOS or MIUI on my phones. Yes, I know people hate MIUI, but Xiaomi’s dev ROMs are released weekly and are patched. Also, whilst devices rarely receive a bump in Android version, they receive MIUI and security updates for years. Google is the only other manufacturer to do this.

  • Dean Rosolen

    I’d like to add that if security concerns you, you should always buy the generic country variant of a phone rather than going through a carrier. The country variant will generally receive updates before any carrier variant does.

  • RB

    I don’t think Wikileaks is purporting to publish the latest batch of exploits fresh out of the CIA/NSA/whoever playbook. It’s more creating the awareness that this sort of stuff goes on.

  • zeitgeb3r

    We already allow Google and Facebook employees to read our gmail and private FB accounts. They know more about me than I know myself. Nothing new here. Move along.

  • Markus

    Hmmmm, you seem to have missed the entire significance of the leak. Sure, no new existing vulnerabilities were found but the agency knew and exploited vulnerabilities it found, for a prolonged period of time, without disclosure.

    This in turn exposed users of the devices or operating systems to others potentially exploiting said vulnerabilities.

    Yes, the typical person does not need to worry about government spooks spying on them, but these tools, in the wrong hands can wreak havoc and if this leak exposes anything it is that even the agency can’t contain their own cache of tools.

    As for patching, just how many vendors continue to patch devices that have been discontinued for more than 6-12 months?

    How many IoT devices (a big target for CIA) are patched at all? (and you guys advertise these so readily).

    And lets not even get started on the possibility of remote exploits against vehicles and should those exploits get leaked.

    Is this leak surprising, maybe not so much, is it significant, you bet! Giving it any less credit is a major injustice.

    (By the way, you may review the reports of various type of malware found in Google Play apps over the last 6 months…)

    • jjcoolaus

      I don’t understand the demand for the CIA to disclose it uses techniques that black hat hackers have been using for many years.

      Know what’s on your phone, look out for unusual behaviour and if in doubt, factory reset. Do regular scans with free tools to spot malware and unsafe apps. Even the google play store contains dangerous apps.

      As for patching, just how many vendors continue to patch devices that have been discontinued for more than 6-12 months?

      All google handsets. LG and HTC also have form here. The LG G4 is now 2 generations old (4 generations if you include the V10/V20) and it is still getting android 7.0

Check Also

Samsung Galaxy S8 video leaks showing Bixby

There have already been numerous Samsung Galaxy S8 leaks today and last night. For those …