• United States



U.S. Correspondent

CIA-made malware? Now antivirus vendors can find out

Mar 08, 20175 mins

Security researchers are concerned that WikiLeaks may have mislead the public with the CIA document dump

Thanks to WikiLeaks, antivirus vendors will soon be able to figure out if you have been hacked by the CIA.

On Tuesday, WikiLeaks dumped a trove of 8,700 documents that allegedly detail the CIA’s secret hacking operations, including spying tools designed for mobile phones, PCs and smart TVs.

WikiLeaks has redacted the actual source code from the files to prevent the distribution of cyber weapons, it said. Nevertheless, the document dump — if real — still exposes some of the techniques that the CIA has allegedly been using.

Among those techniques are ways to bypass antivirus software from vendors including Avira, Bitdefender and Comodo, according to some of the leaked documents.

The CIA’s playbook out in the open

The documents even include some snippets of code that antivirus vendors can use to detect whether a hacking attempt may have come from the CIA, said Jake Williams, founder of security company Rendition InfoSec.

“In the documents, they (the CIA) mention specific code snippets used in operational tools,” Williams said. Antivirus vendors can use this to look at their customers’ networks for any traces of past intrusions.

That might be a big blow to the CIA’s surveillance operations. Now anyone, including foreign governments, can use the WikiLeaks dump to figure out if the CIA ever targeted them, according to Williams.

“I would bet my bank account that the hackers of the CIA have spent all day trying to remove their tools from high value networks,” he said.

WikiLeaks hasn’t said who supplied the secret documents. But the anonymous source is hoping to spark debate over whether the CIA abused its authority by developing so many hacking tools without public oversight, WikiLeaks said.  

“There is an extreme proliferation risk in the development of cyber ‘weapons’,” WikiLeaks founder Julian Assange added in a statement.

But some security researchers believe WikiLeaks is trying to mislead the public by exaggerating the CIA’s hacking capabilities. “The press is getting taken for a ride today,” said Will Strafach, CEO of Sudo Security Group who studies vulnerabilities in Apple’s iOS.

How real are the risks?

Although WikiLeaks has said the CIA documents show the agency can hack iPhones and Android smartphones for spying purposes, consumers shouldn’t necessarily be concerned, he said.

That’s because the dumped documents mostly mention exploits for iOS that appear to already be publicly known and have been patched.

“I have not found anything here that could be a danger to anyone running iOS 10 or above,” Strafach said.

Earlier news headlines and a tweet from WikiLeaks on Tuesday also suggested that the CIA hacking tools can bypass the encryption on messaging apps such as WhatsApp and Signal. But there’s no evidence that the CIA ever cracked the encryption, only that the agency developed exploits and malware to take over devices.

“The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption,” tweeted Open Whisper Systems, which developed the encryption used in the apps.

Journalists and security researchers are still looking over the dumped documents. But it doesn’t appear the hacking tools equate to mass surveillance, said Robert Graham, CEO of security firm Errata Security.  

One hacking tool, code-named Weeping Angel, allegedly involves turning a Samsung smart TV into a monitoring device. But the tool seems to only work if a CIA agent can physically install it on the TV.  

“When we look at the tools, they really give off the impression that they are used locally,” Graham said. “That some CIA agent has to walk in. It’s not remote hacking.”

Questions over vulnerabilities

Still, some privacy advocates are worried by the WikiLeaks document dump. They say it confirms that the U.S. government has known about key vulnerabilities in tech products, but decides to develop hacking tools around them, rather than help vendors patch them.

A document in the dump shows that CIA exploits for Apple’s iOS were allegedly purchased from the U.S. National Security Agency, British intelligence or bought from third-party providers. 

The key danger is that malicious groups, such as foreign government hackers, might discover the vulnerabilities too — putting everyday users in harm’s way.

“As these leaks show, we’re all made less safe by the CIA’s decision to keep — rather than ensure the patching of — vulnerabilities,” wrote Cindy Cohn, executive director of privacy advocate, the Electronic Frontier Foundation.

“Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans,” she said.

But others aren’t so sure the document dump really shows that the CIA has been stockpiling information about vulnerabilities.

“It is difficult to tell this from the info we have at this point,” Ari Schwartz, a former White House senior director for cybersecurity, said in an email. “Questions that I would have are:  Are they really previously unknown?”