​How bad is that CIA / Wikileaks thing?

Short answer is bad, but for more reasons than first come to mind.

Wikileaks recently released a vault of documents allegedly from the CIA relating to their cyber capabilities[1].  This is not the first time that Wikileaks has released fairly targeted documents against an agency in the United States[2][3][4][5].  Wikileaks founder Julian Assange has clear reasons to be less than sympathetic to the United States of America, he is currently sheltering in the Ecuadorian Embassy in London from criminal charges he states are designed to result in his detainment in the US for releasing previous leaks[6]. The timeliness and a few other factors around the leaks have led to a growing opinion that Wikileaks is being fed information from intelligence services in Russia[7][8].  This could create some moral confusion about whether these documents are ethical whistleblowing, state-run propaganda or cyber muscle-flexing.  The information in this leak is a few years old and as such it is not a great surprise that both Apple and Google have already stated that they have already fixed many of the security holes used by the tools listed in the release[9][10].

There are likely going to be a few questions and concerns about this matter, so taking new reports as a guide for discussions lets look at what has been raised.

“the spy agency has developed malware that can turn iPhones, Android devices and Samsung smart TVs into covert listening devices.” – CBC[11]

This is absolutely plausible, this is the kind of capability that a spy agency would want to have.  There is known malware that is designed to perform this function that has been found in uses serving nation states[12][13][14][15][16][17].

However, it is not in the best interests of any of these parties to use proprietary malware exploiting undiscovered vulnerabilities widely [18].  Using the malware in more places increases the risk of it being discovered, analyzed and counter-measures being put in place by security software companies and software vendors.  There is a research and development cost associated with developing this kind of software and the moment it is discovered it quickly becomes useless.   For agencies keen to maximize the return on their investment it is good practice to use this malware sparingly.

The existence of malware like this, or the fact that a nation’s spy agency would have it is nothing new and should not greatly change the your security risk.  Taking care when installing applications, patching and updating software and having security software is still your best option here.

The latter [Samsung smart TVs malware], known by the codename “Weeping Angel,” was allegedly developed in co-operation with the U.K.’s MI-5. Infected TVs appear to be turned off while, in fact, they record conversations in the room and send them via the Internet to the CIA, WikiLeaks said in a statement.

Again this is entirely plausible. The security of Internet of Things devices such as Smart TVs is notoriously bad and developing software such as this is not outside the reach of spy agencies.  It is also not a surprise that allied nations would share capacities.  This particular piece of software was apparently needs to be installed via a USB key: an agent would have to have physical access to the television to install it.   This again lines up with agencies wanting to keep a small foot print to avoid detection and the capability would be well suited to installing an listening device into a specific hotel or conference room.  Keep in mind that these files are a few years old and we have seen cases of malware infecting televisions via a downloaded file, so it is possible that the technical capacity of spy agencies does now include the ability to install without physical access.  One should see this possibility in the context of the current reality of these televisions.  The manufacturer itself is listening to conversations and sharing that information with other companies. The current standard of privacy for smart televisions is very low and should be of concern regardless of the capabilities of government spy agencies.   The privacy issues surrounding new smart devices, particularly those with microphones and cameras are very real and something that should be discussed.  In short, there are others that are more likely to be listening in that the CIA.

It is also alleged that — contrary to an agreement struck during the Obama administration — the CIA did not disclose to U.S. companies such as Apple, Google and Microsoft vulnerabilities it has discovered in their products.

The Vulnerability Equities Process (VEP) is a US Government process for assessing the relative benefits to national security between keeping a system vulnerability secret for use by security agencies or disclosing them so that they are repaired.  This process results from an early 2008 directive signed by President George W. Bush.  The process was re-examined in 2014 after the Snowden documents were released to make sure that the decisions being made were in line with the public good. For more information on this there is a report from the Havard Belfer Center  at http://www.belfercenter.org/sites/default/files/legacy/files/vulnerability-disclosure-web-final3.pdf

This is a complex issue[19].  Effective Cyber Defense is notoriously difficult to implement and measure, particularly when compared with cyber offense. The effectiveness of a defense measure is only known when it fails  Espionage agencies like the CIA also have a culture of secrecy[20]. This could lead to a predisposition to not disclose vulnerabilities.

Not disclosing vulnerabilities creates the possibility that harm to the public could occur that could have otherwise been avoided.  Alternatively, the strategic effectiveness of using these vulnerabilities to support international security efforts such as sanctions and diplomatic negotiations; such as the alleged case of slowing the development of nuclear capabilities in Iran or delaying the ICBM program in North Korea.  There is nothing in the VEP that absolutely compels the disclosure of vulnerability; so having undisclosed vulnerabilities is nothing “contrary to an agreement”.  Although it is difficult to be sure, there is debate as to whether the US government would be hoarding 0-Days.  Theoretically, it would be a great advantage to spy organizations to have a large supply of vulnerabilities so that if a vulnerability were discovered by another party then there would be no loss of spying capability when the problem is fixed, as there would be another vulnerability that could be used.  In this scenario more is better and so hording would be an advantage.  Having spare vulnerabilities for each type of hardware and software would result in a large collection of data to manage.  However, developing and testing the system to reliably take advantage of the vulnerabilities would be resource intensive.  Further, the large amount of agencies and contractors involved in military operations would make managing the security of this collection extremely difficult.  An adversary could take advantage of this by stealing the vulnerabilities, providing them additional tools and indicators of espionage activities or releasing them all at once to reduce the espionage capability or politically destabilize a nation at a strategic time.

The complexity of this debate requires open discussion, however open discussion of capabilities that only exist when they are secret is difficult.

 

Michael Joyce is the Knowledge Mobilization Coordinator at SERENE-RISC, www.serene-risc.ca.

 

______________________________________________

[1] Wikileaks (2017) https://wikileaks.org/ciav7p1/

[2] Shear & Rosenburg (2016) Democratic National Committee emails https://www.nytimes.com/2016/07/23/us/politics/dnc-emails-sanders-clinton.html NY Times

[3]  Wikileaks (2015) NSA activities 2015 https://wikileaks.org/nsa-japan/

[4]  Wikileaks (2015) CIA emails 2015 https://wikileaks.org/cia-emails/

[5] Wikileaks (2015) NSA espionage in Brazil https://wikileaks.org/nsa-brazil/

[6] BBC (2015) Q&A: Julian Assange and the law: http://www.bbc.com/news/world-europe-19426382

[7] Becker, Erlanger and Schmitt (2016) How Russia Often benefits when Julian Assange reveals the West’s Secrets, NY Times see: https://www.nytimes.com/2016/09/01/world/europe/wikileaks-julian-assange-russia.html

[8] Graham (2017) The Astonishing Transformation of Julian Assange, the Atlantic see: https://www.theatlantic.com/politics/archive/2017/01/assange-man-in-the-news/512243/

[9] Conger (2017) Apple says most vulnerabilities in Wikileaks docs are already patched, Techcrunch see: https://techcrunch.com/2017/03/07/apple-says-most-vulnerabilities-in-wikileaks-docs-are-already-patched/

[10] Conger (2017) Google is the latest company to brush off most of the WikiLeaks vulnerabilities see: https://techcrunch.com/2017/03/08/google-is-the-latest-company-to-brush-off-most-of-the-wikileaks-vulnerabilities/

[11]  Associated Press (2017) CIA could listen through cellphones, smart TVs, WikiLeaks claims see: http://www.cbc.ca/news/world/wikileaks-cia-cyber-intelligence-1.4013113

[12]  Marquis-Boire et al (2012) The SmartPhone Who Loved Me: FinFisher Goes Mobile? see: https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/

[13] FBI (2012)  SMARTPHONE USERS SHOULD BE AWARE OF MALWARE TARGETING MOBILE DEVICES AND SAFETY MEASURES TO HELP AVOID COMPROMISE see: https://www.ic3.gov/media/2012/121012.aspx

[14] Sun et al (2015) Pawn Storm Update: iOS Espionage App Found see: http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/

[15] Naor (2017)  Breaking The Weakest Link Of The Strongest Chain see: https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/

[16] Coogan (2014) Android RATs Branch out with Dendroid, see: https://www.symantec.com/connect/blogs/android-rats-branch-out-dendroid

[17] Marczak et al. (2016) The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender see: https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/

[18] Schenier (2013) The NSA’s New Risk Analysis see: https://www.schneier.com/blog/archives/2013/10/the_nsas_new_ri.html

[19]  Healey (2016) The U.S. Government and Zero-Day Vulnerabilities: From Pre-Heartbleed to Shadow Brokers see: https://jia.sipa.columbia.edu/online-articles/healey_vulnerability_equities_process

[20] Johnston, R. (2005). Analytic culture in the US intelligence community: An ethnographic study. CENTRAL INTELLIGENCE AGENCY WASHINGTON DC CENTER FOR STUDY OF INTELLIGENCE.