The CIA probably isn't stupid. Why would they waste attacks like the ones you listed if the silly stuff simply works for most targets. Also those "silly stuff" things are perfect because anybody could have developed them and not necessarily a nation state actor.
Also just because some information got leaked, doesn't mean that there aren't more units / projects at the CIA where maybe the more skilled people are working and where the "good" attacks don't get leaked.
This looks to be the kind of stuff for the day in, day out operations.
Why not just use an off-the-shelf rootkit with off-the-shelf obfuscator + whatever exploits they discovered? None of the code has to be extremely valuable.
If I were CIA in the current political climate, I would simply slightly modify a Russian exploit toolchain and exfiltrate data to CIA controlled C&C. One dev can do the work and with a couple of days of effort it would get past all major AVs.
I think this crowd tends to vastly underestimate the ease of deploying and testing this stuff in a targeted and useful way.
There's a big difference between broadband spray and pray malware, and malware you actually want to hit a target with.
If you know average tools won't detect it, then why get fancy when you have something that's proven reliable and if discovered is unlikely to have your victim substantially improve their processes?
The lower level / juniors / new hires probably cut their teeth on the simple exploits, and as they gain experience move on to the more advanced.
Also, the hextuple-agent in me wants to think the simple exploits were leaked intentionally to distract from the whatever-else-it-is-they-don't-want-you-to-know.
I doubt it, I think they hired out of some no name information security firm. These people probably are not the group developing the exploits either. I know if I was in their shoes I wouldn't waste my time using anything fancy, but this whole thing reads like some mid level member trying to create documentation to move up the corporate ladder.
I don't want to rush to judge them because not everyone can be at the top and if it works it works. If I can pop a box using powershell, it's way easier than having to develop some kernel level hack. Additionally when anyones 'private' conversations get leaked they always look like a fool because it shows us being vulnerable and asking dumb questions, but a lot of the posts really do remind me more of the sysadmin who learned some python instead of the cutting edge of private industry.
This might be true for things like exploits, where every time you use them you stand a chance of burning them, so you're incentivized to keep using whatever's working. But it's not true of rootkit and implant techniques; in fact, the opposite is true: the dumber your implants, the more likely it is that your target will discover you compromised them.
The more likely it is that your target will discover someone compromised them, yes. But finding a DLL injection exploit only says "hacked by someone", whereas finding a microcode-level rootkit in the CPU pretty much says "hacked by a state actor". Which, sometimes is what you want to say (see e.g. Stuxnet), but often not. If you know the first has a 99% chance of going undetected, and the second a 99.9% chance, do you always want to risk the one that pretty much acts like a calling card?
There's two ways microcode goes on Intel CPUs. The first is when it gets flashed in at the factory onto an OTP ROM. The second is when it gets uploaded to a block of internal RAM by your computer, every time it boots. That's why packages like this one (https://www.archlinux.org/packages/extra/any/intel-ucode/) exist.
One is set at the factory, one is set by your computer every time, once at boot, before the completion of boot. Also, it's very carefully signed, so even if you managed to put a bootkit before the OS boot, you would need to steal Intel's microcode key.
Microcode is not targetable. Few things at that level are. (A decent example of something that might be more targetable at that level is a hard drive controller. Less difficult but still not easy.) The amount of engineering needed to pull off an exploit that is "99.9% chance" unnoticeable, but still persistent, is much more than that of a "99% chance".
(I know nothing of AMD's CPUs and their microcode, but I'm guessing it's much of the same.)
First of all, thanks for writing this, since I did find the technical details quite interesting. But I don't think this puts microcode rootkits beyond the reach of a state actor. It puts them beyond the reach of a normal criminal attacker, which is actually my point.
Scenario 1: Supply chain interdiction. You don't need to target the CPU only after it has been manufactured and put into whatever you want to hack, you can start way earlier, including at the factory.
Scenario 2: Getting the signing keys from hardware manufacturers, including Intel, seems quite feasible for state actors. You don't even need hacking (I assume Intel's keys are kept air-gapped) or relying on secret court orders, plain old spycraft would probably do the trick.
That said, my argument can be rephrased to consider the hard-drive controller or other peripheral firmware rootkits instead, if you prefer and care only about scenarios where the rootkit must be delivered over the network to a clean system without attacking the CPU manufacturer.
The CIA took control of the SIM card manufacturer company through in-q-tel years before and willingly sold their shares just before the keys got stolen by NSA/GHCQ.
It was a big deal at the time known as "l'affaire gemplus" and it prompted the french government to set up the "Fonds stratégique d'investissement" or strategic investment fund, sort of a french in-q-tel.
Intel being a US company it is probable the US agencies have their ways with them.
I wouldn't be surprised if the NSA worked with Intel to design their microcode update mechanism (selecting algorithms with advisements against classified breaches; generating key material and sharing between themselves; etc.) That would serve the NSA's interests in both their SIGINT and COMSEC roles at once.
I would say what you did is to "neutralize" the ME firmware part in the flash BIOS. But this is only firmware that the ME loads additionally to load applications like e.g. AMT.
The ME has it's own internal ROM containing it's very own firmware which is inaccessible and can not be modified.
So what you have is libreboot running on top of a still functional IME. All you gained is, that you got your BIOS of choice installed, and to remove some ME apps from the flash image. Correct me if I am wrong.
In Ptacek's defense (heh), I'm willing to wager those hypothetical detection rates are far off the mark by orders of magnitude.
I'd expect a microcode-level rootkit to run a five-nines success rate evading detection unless used against someone who's paranoid enough to have _something_ in place to detect it, and I'd venture further that the 3LAs of the world are smart enough not to target the infosec-paranoids of the world.
I am sure the numbers are way off, but not sure only the microcode one is. My suspicion is that against most non-intelligence targets, the DLL injection approach is quite unlikely to be found out either, at least once the initial intrusion has been accomplished. In both cases, the implants will likely only be detected if the machine in question is used to stage another attack or exfiltrate data over the network, in which case the level of the rootkit running on the host will matter very little for detection.
Admittedly, the best rootkits probably target the network equipment as well as the host.
At the host level, most organizations wouldn't be able to detect an unmasked trojan running as its own separate user process unless its signature was already known or its behavior caught by a blacklist-based IDS.
The problem doing DLL injections is you are dropping things directly to the disk which is a great way to get AVs attention. Heuristics based detection can be a pain in the ass here and you want your rootkit to be able to be 'unique' for every installation if possible.
Also rootkits are way overrated. What you do when you compromise an organization is you open a connection to your C&C on a few machines to keep your foothold if any reboot. If you need to get in you just connect to one of those boxes and just continue on. You never have to drop anything on the hard disk which makes it much stealthier.
I don't doubt your expertise, but I think you're making a lot of declarative and slightly inflammatory statements without supporting them with concrete evidence. Is there publicly available evidence that you could refer to?
> the more likely it is that your target will discover you compromised them
fair enough, but the like the person above said, it can be very important to hide/obfuscate the identity of the snooper. Stuxnet would have been more effective if experts could not immediately point to US/Israel.
According to a recent Wikileaks tweet, this leak is only 1% of the files that they have on the CIA. So most likely, they have many more exploits that are more significant.
They published the papers with a heavy dose of spin. Remember how the headline contained FUD about Signal and WhatsApp? The released documents have nothing about sidestepping Signal and WhatsApp. That was pure conjecture and editorializing.
Of course WikiLeaks wants ordinary people to be vaguely afraid of using Signal and WhatsApp. End-to-end encryption is very much counter to their goals.
Wasn't whatsapp all over the news for its "replace the encryption key transparently without notifying the user" feature ? Also facebook.
I don't trust signal, a centralized that requires a phone number while pretending to be secure and providing some anonymity is flawed by design and begging to be exploited.
The reporting you're talking about has been widely denounced by actual security experts, with 70 of them signing a letter asking the Guardian to retract its inaccurate story. Your position is about as responsible as saying "I don't trust vaccines, they kill people".
It's not FUD: it's just a threat model WhatsApp and those experts do not care for, or alternatively think is a worthy the UI/UX trade-off.
FWIW, I strongly disagree with this stance: if the recipient's key changes while the message is in-flight, that message should never be resent/delivered without the sender's explicit approval. Imagine that Bob is a political activist planning a protest. Bob is wondering why his IMs to a co-conspirator Alice aren't being delivered; Bob's wonder turns to fear when he hears on the news that Alice has been detained. Fear turns into terror when Bob sees his messages subsequently get two blue ticks as WhatsApp happily delivers his IMs to a new phone belonging to the secret police. Only afterwards does WhatsApp notify Bob that Alice's key has changed
OWS never claim that Signal provides anonymity. The word they use is privacy which sometimes involves being anonymous, but not necessarily so.
> Wasn't whatsapp all over the news for its "replace the encryption key transparently without notifying the user" feature ? Also facebook.
Which was a conscious design decision. Not doing that (even for people that had turned on "notify on key changes"), would let whatsapp know which users could be securely MITM'd. Neither is a very good choice, but an understandable trade-off when it comes to security vs usability.
I haven't read overly deep into the documents, but if they have rootkits for the main devices (iPhone, android, linux, OSX, windows) that you are using E2E encryption on they can easily sit between the decryption layer and the user.
Yeah, Assange can go get stuffed. He has lost all credibility with this drips and drabs bullshit in an attempt to keep himself some kind of "celebrity".
Release it and let people figure it out or shut the fuck up.
Snowden coordinated with Greenwald et al. for years on their "drips and drabs" strategy. Rightly so! The point of leaking is to have a political effect. Those effects are multiplied when leaks are well-timed. I'm glad, because had the leaks that have many people most upset not been so effective, USA would probably be at war in Syria right now.
Funny that the snowden leaked document have been released drips and drabs to the point that only a portion has been made public yet but for some reason you fail to take it into account.
Also Assange would be Poitras/Greenwald here not Snowden.
Are you implying that he did something dishonest? I can't recall one example even. Although, I do recall a handful of politicians and news stories claiming the DKIM verified emails were likely fake. For example, I remember when Donna Brazile said that it wasn't her who sent the email leaking debate questions. Russians probably broke DKIM, and Brazile was probably coerced into admitting she's a liar.
How much of that "99% unreleased" is represented by the stub files:
::: THIS ARCHIVE FILE IS STILL BEING EXAMINED BY WIKILEAKS. :::
::: IT MAY BE RELEASED IN THE NEAR FUTURE. WHAT FOLLOWS IS :::
::: AN AUTOMATICALLY GENERATED LIST OF ITS CONTENTS: :::
Add to the fact that many systems around the world are woefully unpatched, so the "silly stuff" still works against them. I've done a lot of work outside the U.S., especially in 3rd world countries, and it's astounding how outdated much of the IT infrastructure is. We're talking entire networks still running pirated Windows XP and Vista.
Definitely correct, they are not stupid. These tools are more of a "keep it around in case we need it" type of thing.
The CIA works abroad, not on American soil, so none of these tools are being used against the American people anyway (thats the NSA's job). I imagine this is part of a network or "library" of exploits they have, in case they encounter say a North Korean laptop with Windows 98 and they need something in a pinch.
>doesn't mean that there aren't more units
Exactly, thats why they call it a "leak" and not a "turn the hose on full blast."
> Also just because some information got leaked, doesn't mean that there aren't more units / projects at the CIA where maybe the more skilled people are working and where the "good" attacks don't get leaked.
Actually the vault7 leak is the first in a series and it is clearly stated that this is only a portion of the CIA tools:
> Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. (..) The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.
Can anyone confirm if 'the CIA lost control' refers to the August 2016 Shadow Brokers / Equation Group auction? At the time I recall the tools being attributed to the NSA however it seems to fit the timeline ...
Technically, there is absolutely nothing impressive whatsoever, in the archive released yesterday; I went through the entire thing. Relative to the Snowden leaks, the CIA tools look benign. The biggest difference between the two sets of leaks(and subsequent NSA revelations) however, is scale & automation. NSA's tools are built almost entirely by contractors. The 'hacking' tools are integrated with deployment tools, as well as data collection. For example, say I work for the NSA and I want to see Bob's desktop wallpaper. I already have some generic social network information, as well as ISP info on bob, and he has already been assigned a 'selector,' which I use to query Bob's information, which was gathered from all sorts of sources. Assuming I don't already have a RAT or similar installed on Bob's computer, a further step is required. The NSA has many redundant attacks entirely automated, and most of the massively successful attacks, require some sort of MITM attack. Schneier released a video(on October 26th 2016, I think - if not real close to that date,) of some sort of intelligence meeting he spoke at, with just a handful of people, where he claimed he was going to bring something to light that had not previously been revealed anywhere in public. He revealed that the majority of home routers in the U.S.(commonly believed to be the ones provided by ISP, which run a custom Linux distro, with half a dozen internal subnets, mine runs on Arris hardware, has full busy-box, and used to contain a root pivot script that was previously accessible via ssh, on an accidentally unsecured network interface, within an obscure IP range, whos shell login turned out to be the commonly available Arris rolling code('arris pw of the day?'). The embedded Linux running on the device is based on the "RDK project" as is the DVR's and modem/router combos from a variety of other ISP's. Supposedly this is patched(for arris) but I haven't attempted any further investigation since August 2016. I believe the backdoor was simply a poorly designed interface between the router and the technician GUI software.) Sorry for the unnecessary details, but I've already typed it out now. Schneier revealed that these routers(HE never specified which, but said they are everywhere), referred to by the NSA internally as 'diodes'. The diodes are used(automatically) to provide better proximity to other users, not necessarily the target, where the plethora of attacks are then executed from. The initial development costs are immensely greater than those of the CIA's, much easier and cheaper to use, by the lay person, and are more carefully controlled/depend on the system hosted by the NSA. While proximity attacks are not the only method of intrusion/full control, the next best, or perhaps better alternative is Acidfox, which is often delivered via email/browser, and requires user intervention. Clearly the NSA is leaps and bounds ahead of CIA in terms of sophistication, as well as control/oversight, as you can't just walk out the door with an archive containing 75% of their tools(they depend on infrastructure.) The CIA attacks depicted in the Wikileaks archive, almost all require manual intervention, are less reliable, and 'janky' as hell. The CIA has a record of using their tools for less than honorable/legal purposes(which may be further elaborated on, depending on what goes down with the Trump wiretaps,) either way, the CIA hacks seem like a waste of time and money (5000 employees at the consulate in Germany) and redundant. The CIA must be able to utilize the NSA's vastly superior technology/information after receiving a warrant, which makes the motives and means all the more suspicious. Who knows what will come out, but one thing is for certain, there will be a lot more information revealed pertaining to the illegal, unwarranted, for personal gain, sharing of their tools with ex employees and contractors, in the coming weeks. I could go on for ages on this stuff, but I usually just get instantly downvoted, and I'm not providing sources(as it's all from memory[pro memory,] but it's all easily duckduckgo-able [or google.]) There are certainly more sophisticated employees and programs at the CIA(obviously), but I have a feeling that the shindig over in Germany consists mostly of this sort of thing, cheaper, younger, less experienced kids, copy & pasting junk together, customized and deployed on a case by case basis. I also have a feeling that the reasons Obama set that up, is going to be an interesting narrative which we will soon watch unfold. (hint: 7th floor group; aka 'shadow government') P.S. I refuse to go back and grammar check this monstrosity.
Edit: Maybe someone can answer this question for me.. So from the Snowden leaks, we know the extent of the NSA toolkits and the requirements which need to be met to utilize them. Now we know some of the CIA's capabilities, and after Apple refused to unlock the San Bernardino Shooter's iPhone, we found out the FBI was playing some sort of politics, by claiming that justice might not be served without Apple's intervention, and proceeded to publicly shame the ethical position Apple took. So why on earth was Obama trying to force Apple's hand in that matter? Soon as Apple said no, the FBI somehow found the single magical person willing and able to defeat the privately enhanced security of the shooter's 5S? Makes no sense to me.
Thanks for sharing. Consider breaking it up into a few paragraphs to make it easier to parse.
The most interesting tool I found in the leaks was the bug that jumps airgap to make Nero burn trojaned binaries. If we see more tools like this come out of the woodwork, it shows that the CIA is at least in some ways keeping their teeth sharp.
I believe that the FBI and Obama both played politics for a few reasons, namely:
- Obama and the FBI probably withheld a reasonable amount of information from each other regarding the case
- This was all a charade to bring the topic into the public sphere. It backfired, but the aim was to allow future high-profile cases on which concurrent evidence trails are harder to establish. Once it backfired, Comey came out with a public letter admonishing the American people, comparing us to children. He stated that with Rule 41 coming into effect, the FBI would use its expanded powers to collect information for the following year. They would then use that information in an upcoming "adult conversation" the FBI wishes to have with the public about the future of open, libre encryption.
We should be expecting that "conversation" to take place this year. And I don't expect it to be much of a dialogue so much as a monologue. I expect the FBI to either directly or indirectly (thru Wikileaks, etc) release information that "proves" that backdoored encryption and its inherent reduced security is necessary for public safety. There is a saying we all know and love about the merits of this particular trade-off
I'm certain the FBI always had that contact on standby. They probably received multiple unprompted bids from various hacking companies during the public run of the case. They wanted to flex how much pull they had over a giant like Apple. Even though they seemingly failed, they came out with a huge data point: The American people need further brainwashing and ideological shifting before attempting a full coup over libre encryption in America.
I don't think they wanted to flex muscle over Apple, I think they were trying to build case law for situations like this. Also breaking into a phone with an exploit like this is expensive and if they have an exploit, they might not want to publish that they have it in the future so having the backdoor provides deniability even if it's fundamentally dumb.
/puts on tinfoil hat
There is also the other option which is that trust in American tech companies has been sketchy at best following the NSA leaks and this was a chance for the Obama administration to allow companies to reestablish some legitimacy when it came to security by making the US government look evil but having the corporations 'prove' that they are not backdoored by the NSA. They can still break in the covert way, but it makes it look tech companies are not as compromised as the NSA leaks would suggest.
they might also used the whole stunt as a way to inform the public that they have the capability so that next time around at the interview goes "look kid, we do have the capability to unlock the phone, but it's costly, nasty, annoying for everyone involved and will put your refusal in a very very bad light in front of the judge and jury, why you don't just give the code and we tell the judge you cooperated?"
To be frank, the whole concept of "plea bargaining" in US law is a vulnerability, broadening the attack surface for many otherwise less harmful vulnerabilities.
Hadn't thought about it like that. Interesting. Was too late to edit when I saw your comment. Unrelated: Most interesting thing to me, of this nature(was from the snowden leaks) is known as 'RAGEMASTER;' an RF retro-reflector built into a vga cable(deployed by intercepted packages between computer supplier and target I believe) which allows NSA to observe the contents of a vga signal remotely, using radar, and subsequent re-modulation and sync of the signal.. Totally bizarre.
Also just because some information got leaked, doesn't mean that there aren't more units / projects at the CIA where maybe the more skilled people are working and where the "good" attacks don't get leaked.
This looks to be the kind of stuff for the day in, day out operations.