Let’s all calm down now: the WikiLeaks CIA infodump isn’t bigger than Snowden

Tarah Wheeler, hacker, & Sandy Clark, Ph.D., University of Pennsylvania Computer and Information Science

***These are the opinions of Tarah and Sandy, and do not represent the opinions of Symantec or the University of Pennsylvania***

Introduction

Let’s all calm down when it comes to spreading FUD on the Internet about this morning’s giant CIA leak. This information leak is a revelation of something we all knew: the CIA has 0-days (high-impact, previously undisclosed exploits) and purchases exploits from a number of researchers both in and out of the US in order to surveil individual devices.

What happened

This morning, WikiLeaks released a massive information dump including CIA exploits and rootkits for mobile device hacking among other tools. Information security specialists around the world woke up to a Twitter storm of commentary, most of which was absolute horsefeathers and which spread misinformation to people not trained to understand the impact of this information. WikiLeaks asserted that:

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloakman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.

Almost instantly, this sentence was drastically misinterpreted by media organizations around the world to mean that the encryption used by encrypted chat clients like Signal and WhatsApp had been broken. Though it was phrased poorly, it was accurate: these techniques *bypass* encryption by gaining access through other methods and listening in, but they do it before the applications encrypt and transmit information. This is rather like hiding behind the couch and listening in on someone having a speakerphone conversation over a secured line. You’re hearing the information before it’s ever encrypted and sent, so the voices are entirely in the open. Even worse, if you’re able to see over someone’s shoulder to a 2-way text conversation on their phone or laptop, it doesn’t matter if the information was encrypted in transit if you’re already seeing everything that happens on the device.

This isn’t meant to diminish the magnitude of what it means that these tools exist. There are many interesting technical tools and exploits in this dump, and we’ll go through the tools we’ve seen so far, as well as the implications of this information.

Tech tools and compromises

This will be updated as we find more information.

The mundanity of getting gcc (a C compiler) to run properly is universal, whether you’re in the CIA or your local hacker space. It’s a bit entertaining as a Linux admin to see the amount of time and effort that even the CIA’s cybersecurity specialists must go to in order to configure their environments and get gcc to work properly.

One particularly interesting point that can be gleaned from this data is insight into why our 3-letter agencies are fighting so hard against releasing information about the exploits they use. One of the pages is titled: Triage and documents the need for ensuring they stay ahead in the arms race. There is strong emphasis on quickly testing their tools, as well as their ability to maintain persistent connection with a currently compromised device whenever a new IOS version is (about to be) released. Detailed instructions for verifying tool functionality, as well as notes on what worked last time and caveats are provided. These instructions appear to be intended for someone familiar with the toolset, but not necessarily an expert. I.e., a user not a developer. Such strong emphasis on making sure their exploits are still usable suggests they are concerned about losing them.

The Android tools all seem to have older dates on them than the iOS tools. It’s fascinating to see that either a) the Android hacks all still work on most devices, or b) the CIA has simply stopped focusing on Android devices, either because they’re so easy to hack or because most significant targets will be using iOS anyway.

**This section will be updated and possibly expanded on in a future post.

Why the information security community is both amused and irritated

The CIA seems to have been using a private Atlassian server. For those of us who have found Atlassian configurations to be impossible to secure for years, hearing CIA cybersecurity specialists complaining just as we do about the difficulty of configuring and using Atlassian is funny as hell.

As technologists, it amuses us a great deal to see other nerds around the world using the same references we do to nerd culture, like Doctor Who. Referencing Weeping Angels and the Sontarans when collaborating with British intelligence on technical projects is funny, there’s no doubt — but not so much when you consider that this is the perversion of a joy-filled culture of inside jokes about Star Trek and internet memes into normalizing tactics that Stalin would have blushed at. What’s more interesting here is the depth and flavor of the contributions, the tools being used, and the unique personalities of the users and what they’re working on, as well as the ages of the packages and tools in question. There are a few users who appear to have been the doc monkeys (the people who have the very thankless job of updating the documentation for all users), and their wry comments are quite familiar to us all.

Implications

For iOS:

Why such a big focus on iOS? 2 reasons: Because after the FBI lawsuit regarding the San Bernardino terrorist phone where Apple fought tooth and nail, and because though iOS is only 14.5% of the market (according to the WikiLeaks document itself), Apple makes over 80% of smartphone sales revenue due to it being a high end device. The implication is that an outsized proportion of people of interest have iPhones, not Androids.

Closely related is the focus on UEFI exploits (Unified Extensible Firmware Interface) on Apple machines. That’s likely because it’s so hard to attack either the physical device itself without demonstrating compromise or the application ecosystem which is extraordinarily sandboxed. Think of the physical machine of an Apple machine and its apps as being like two pieces of bread. The UEFI is the peanut butter between them, “sticking” them both together. It provides a way for the physical machinery to talk to the software. When the UEFI is compromised by having an EFI driver (a specific set of instructions telling a machine how to interface with software) that can’t be removed or detected even after factory resetting the phone, the attacker has control of the Apple machine. This isn’t necessarily the iPhone itself, but on OSX, which can functionally grant access to iPhones it’s tied to.

Larger implications

Is this bigger or smaller than the Snowden revelations?

It’s much, much smaller. The Snowden leaks showed the mass covert surveillance via text and voice of American citizens using tools that permitted mass data gathering and analysis. This info dump so far shows that the CIA researched, gathered, purchased, and (presumably) used tools that allowed targeting of individual devices.

The effort the CIA went to in order to collect, test, and use these tools versus individual devices shows that simply breaking encryption on all those devices and listening in painlessly and approaching costlessly is not yet possible. To the best of our ability to tell so far: there’s little to no evidence of mass surveillance of mobile devices beyond that which we already knew existed. This is about the difficulty of a single individual to prevent a nation state with significant resources and attention from compromising their devices.

Encryption works

The level of expense it takes for a single CIA agent to monitor someone’s device and spend weeks cracking it is prohibitive across millions of users, and that’s why encryption exists: not to make surveillance impossible, but so costly that there’s not enough resources to monitor everyone.

This is why government-mandated back doors are so problematic. As Matt Blaze and Jon Callas said at the Department of Justice in 2015, there’s no such thing as a Magic Rainbow Unicorn Key usable only by the noble and pure of heart. Given that key, the CIA wouldn’t have to expend resources individually targeting people. They’d have everyone’s devices open to their gaze, whether legal and just or not.

Conclusion: As Dr. Clark and Ms. Wheeler collaborated on this post, we spoke over Signal on our iPhones while using our Macs. We trust these devices and applications while understanding that if we are individual targets of any of these tools, we may be compromised already — but the probability of compromise is absolutely lowest using these systems. That’s the best we can offer you: you’re most likely to be safe using encrypted devices and clients that make individual targeting extremely expensive and mass surveillance fundamentally currently impossible.