WikiLeaks documents show CIA struggling to crack Apple gear, little danger to everyday fol...
While the revelations that the CIA has its own device penetration department, including a section for Apple equipment, a closer look at the revealed data shows an agency struggling with the realities of modern surveillance, and a increasingly sophisticated investigation target base.
Any penetration requires four major factors to be effective -- a vector of attack, a deployable payload compromising the system, invisibility, and exfiltration of gathered data. Failure of any of the four makes the effort pointless.
Initial review of documentation revealed in the WikiLeaks publication of the "Vault 7" program documents shows a CIA having problems with combining all four factors on the newest Apple gear and software at the same time.
Many are eradicated by a full reboot of the device. Others are purged by a restore.
While some are remote, they still need to be specially crafted. The target needs to be convinced to visit a compromised page, or the exploit needs to be installed in a trusted page somehow.
Older devices and devices running early versions of iOS remain exploitable. However, older devices stuck on iOS 5 or the latest batch left behind with iOS 9 will not likely see security patches.
The Harpy Eagle documents show an extensive decompilation effort of Apple's code in order to "install a persistent rootkit into the flash storage" of the AirPort, as well as a close examination of the AirPort Utility on then OS X. Assuming the documents are relatively complete, the effort doesn't appear complete, with no fully functional or reliable exploits allowing the CIA to insert itself in a target's network through AirPort router hardware.
The effort appears partially stymied by not just Apple's security through firmware 7.7.3, but the custom codebase developed for the router -- the same thing that has historically prevented the gear from compromise through a variety of other exploits that have plagued router manufacturers recently.
Given that the data dump is primarily from the tail-end of 2015, progress has likely been made -- but Apple has released three updates in the same time frame. However, as demonstrated with exploits on other platforms, a new version of the AirPort firmware sets the agency back.
Once again, the documents express the difficulty of adjusting to a "moving target" after Apple's hardware and software updates.
It appears that the OS X/macOS tools are more advanced than those for iOS -- which makes sense, as the underpinning of OS X has been around since the turn of the century and OS X is far more open than iOS is.
It is not Apple's, Google's or any other tech company's job to make penetrating their devices easier. As emphasized by testimony before the Senate Investigative Committee regarding the encryption debate in 2016, it is law enforcement's responsibility to build its own tool library for conducting investigations -- and this library is exactly what the "Vault 7" initiative planned.
Apple has since revealed that it has patched most of the CIA's exploits in iOS 10.
Whether or not the CIA violated an Obama-era prohibition on stock-piling so-called "zero-day" exploits is worth mentioning, but mostly irrelevant to users. For better or worse, the agency decided that keeping the exploits to themselves and using them as need-be would be "safer" for the American public.
They may be right. There is more "low-hanging fruit" for the criminal element to utilize. The CIA's exploits for more modern devices up through the end of 2015 require physical access to a device. The less global-scale criminal activities rely on significantly simpler and less costly to implement Java or Flash "drive-by" exploits to steal credentials, or execute the new "ransomware"-styled attacks requiring a BitCoin payment for a delivered encryption key.
Regardless of the libraries going public, most AppleInsider readers don't need to worry about the libraries, other than from a idealogical or political standpoint. Bar none, the CIA attacks are targeted, with nearly all of the "modern" ones for Apple equipment requiring physical access to equipment and a great deal of effort and sometimes physical danger, to implement.
The larger danger is the fact that the exploit library is public, with some vectors of attack more well-known now. This doesn't make the attacks any easier to deploy, but it does widen the potential pool of people willing to use them.
None of the exploits are mass-deployable, or pose any significant mass-surveillance threat. It remains far easier in most cases for the CIA or other intelligence gathering or law enforcement agencies to collect location and call data for iPhone users from wireless carriers, and perform some old-school legwork to suss out information about a target.
Any penetration requires four major factors to be effective -- a vector of attack, a deployable payload compromising the system, invisibility, and exfiltration of gathered data. Failure of any of the four makes the effort pointless.
Initial review of documentation revealed in the WikiLeaks publication of the "Vault 7" program documents shows a CIA having problems with combining all four factors on the newest Apple gear and software at the same time.
14 iOS exploits, codenamed: WildTurkey, McNugget, et al
Under an assortment of code names, the CIA developed or purchased many exploits, running all the way to iOS 9.2 in the end of 2015 -- but the agency's own data reveals the ephemeral nature of the vectors.Many are eradicated by a full reboot of the device. Others are purged by a restore.
It is not Apple's, Google's or any other tech company's job to make penetrating their devices easier.
While some are remote, they still need to be specially crafted. The target needs to be convinced to visit a compromised page, or the exploit needs to be installed in a trusted page somehow.
Older devices and devices running early versions of iOS remain exploitable. However, older devices stuck on iOS 5 or the latest batch left behind with iOS 9 will not likely see security patches.
AirPort -- project Harpy Eagle
The AirPort exploit effort remains relevant, despite the relative age of the leak. Apple's networking hardware hasn't been altered at all since the penetration efforts began, with only three firmware updates in nearly two years.The Harpy Eagle documents show an extensive decompilation effort of Apple's code in order to "install a persistent rootkit into the flash storage" of the AirPort, as well as a close examination of the AirPort Utility on then OS X. Assuming the documents are relatively complete, the effort doesn't appear complete, with no fully functional or reliable exploits allowing the CIA to insert itself in a target's network through AirPort router hardware.
The effort appears partially stymied by not just Apple's security through firmware 7.7.3, but the custom codebase developed for the router -- the same thing that has historically prevented the gear from compromise through a variety of other exploits that have plagued router manufacturers recently.
Given that the data dump is primarily from the tail-end of 2015, progress has likely been made -- but Apple has released three updates in the same time frame. However, as demonstrated with exploits on other platforms, a new version of the AirPort firmware sets the agency back.
OS X Mavericks -- project DerStarke
The documents about penetrating the then-new Mavericks is perhaps the most telling of the batch. The worklog detailing DerStarke discusses EFI bootloader compromise, as well as a way to "inject into" popular Internet traffic monitoring utility Little Snitch to prevent the target from spotting data transfer.Once again, the documents express the difficulty of adjusting to a "moving target" after Apple's hardware and software updates.
It appears that the OS X/macOS tools are more advanced than those for iOS -- which makes sense, as the underpinning of OS X has been around since the turn of the century and OS X is far more open than iOS is.
Sensational, but of little actual impact
AppleInsider has yet to plow through all of the nearly 9000 multi-page documents released in just the first batch, and WikiLeaks promises there are more coming. Even going through the Apple-centric ones, the inescapable conclusion remains that while developing the Center for Cyber Intelligence in a less than transparent fashion, the CIA is fulfilling its role in the strange relationship that law enforcement has with Silicon Valley.It is not Apple's, Google's or any other tech company's job to make penetrating their devices easier. As emphasized by testimony before the Senate Investigative Committee regarding the encryption debate in 2016, it is law enforcement's responsibility to build its own tool library for conducting investigations -- and this library is exactly what the "Vault 7" initiative planned.
Apple has since revealed that it has patched most of the CIA's exploits in iOS 10.
Whether or not the CIA violated an Obama-era prohibition on stock-piling so-called "zero-day" exploits is worth mentioning, but mostly irrelevant to users. For better or worse, the agency decided that keeping the exploits to themselves and using them as need-be would be "safer" for the American public.
They may be right. There is more "low-hanging fruit" for the criminal element to utilize. The CIA's exploits for more modern devices up through the end of 2015 require physical access to a device. The less global-scale criminal activities rely on significantly simpler and less costly to implement Java or Flash "drive-by" exploits to steal credentials, or execute the new "ransomware"-styled attacks requiring a BitCoin payment for a delivered encryption key.
The libraries are public -- so now what?
The CIA's mandate is to gather information on international persons of interest, primarily through human-gathered intelligence. The library dump is not contrary to that goal, advances the CIA's purpose -- and most importantly there is no evidence that the agency used the tools illicitly against the U.S. public.Regardless of the libraries going public, most AppleInsider readers don't need to worry about the libraries, other than from a idealogical or political standpoint. Bar none, the CIA attacks are targeted, with nearly all of the "modern" ones for Apple equipment requiring physical access to equipment and a great deal of effort and sometimes physical danger, to implement.
The larger danger is the fact that the exploit library is public, with some vectors of attack more well-known now. This doesn't make the attacks any easier to deploy, but it does widen the potential pool of people willing to use them.
None of the exploits are mass-deployable, or pose any significant mass-surveillance threat. It remains far easier in most cases for the CIA or other intelligence gathering or law enforcement agencies to collect location and call data for iPhone users from wireless carriers, and perform some old-school legwork to suss out information about a target.
Comments
First. our government should not be spending so much money making the floors look so pretty, and putting big logos in the floor. Government workers should be working in spaces which were built by the lowest bidder with the cheapest available materials. The government is not a profit center so they should not be living like they make more money than the fortune 500 companies.
I would not count on the government not testing their exploits out on the general public, they have to do a proof of concept and prove they can hack into people systems. It not the fact they were listening and observing but what they did with the information. Then we have the FBI director come out and say American can not expect to have privacy in the modern age, the above article is why.
I am just glad Apple is on all of our sides at this point, and glad to hear Little Snitch may catch what our government is trying to do. I have use little snitch for many years and can not tell you how many apps do things you have no idea what they are doing. I have google total blocked from reporting home what I do.
correct. Anyone that says otherwise is a fool.
The more IoT stuff we put into our homes, the greater the attack vector the bad guys have to aim at.
Smart TV's, Light Bulbs, Fridges, Amazon and Google boxes used as voice assistants.... the list is growing and it is not only phones and computers.
It's clear now that the government has enough issues maintaining their own data integrity in this day and age where global actors can have more ways to access "secure" data, let alone having things get passed the old fashioned way - by someone who has a beef with any particular agency or government.
Am I reading this right -- are you honestly suggesting we execute these document leakers and their families? That strikes me as absurd. Something N. Korea would do.
We also see irrational outlets of fear. For example, people on this forum afraid that the Amazon Echo listening for the Alexa keyword means that it's recording everything, yet not once considering that their PC's microphone could be recording everything without their knowledge. Where is the logic in thinking that because Amazon says they listen for a keyword that it's any less secure than your PC, which you could've given admin rights via an app that is connected to your mic, camera, and display?
Kill entire families? So the Geneva Convention or just any level of humanity is no longer a consideration? I don't want to live in that world.
I don't, on both counts. If they want to try to find and exploit a flaw, then by all means go for it, but the same goes for heroic whistleblowers that reveal when a government is overstepping their authority, and I am shocked that you'd suggest that an entire genetic line of family members should be murdered in order to help an out of control government from losing its authorization rule over its people.
You assume they are the best and the brightest, plus it is not about the building you work in, if someone is working for the government they do because they feel they have civic duty. This is why the government employs over 3 million people today, they love all those perks and jobs for Life. Glad to see Trump trying to put an end to that.
Also you know most companies are going to a very minimalist work environment, they been moving away from the fancy work spaces.
So in Apple world ( normal user edition ) all is in balance, none of us have information worthy of national intelligence surveillance, and if we do, then we should expect oversight, by the FBI. And as long as our government is held to historically accepted Constituional protections and exerts a benevolent leadership, now in question, then there will be nothing to be concerned about in that realm.
Apple is both a valuable protector of our rights, a good corporate and planetary citizen and a valuable voice for our freedoms and liberty.
They have an extremely difficult path to follow, but they are firmly on the side of truth, justice and security, by every metric I have seen.
The foot traffic that crosses that logo each day would destroy any lesser flooring material in 3 to 5 years, requiring replacement. Lowest bidder for the same quality is one thing, choosing the lowest bidder using a lower quality build is quite another. The current CIA facility was dedicated in Nov 1961 by then President Kennedy. That would make CIA headquarters 56 years old this year. Whatever it cost for those floors (and everything else in the building) back then, I'd say the US taxpayer has received good value for their money.
I 100% agree with your response to the call for “punishment by death” statement of the original post which is clearly absurd. But I’d strongly contend that the release of these document would not be considered whistleblowing (based on what we know so far).
This AI article is one of the few that discuss this issue in a level-headed manner. Of course the CIA works on developing these tools! Anyone who would be surprised by this would also be surprised to learn that their local police department has jail cells (which could be used to wrongfully imprison you) and the fire department has axes (which they could attack you with). It’s their job to have these tools, and their responsibility to use them lawfully. And if they don’t, they need to be held accountable, which is where whistleblowing may come into the picture.
As far as I’m aware, so far these documents fall into the “that’s their job” category and haven’t provided any evidence that they’ve been illegally deployed against US citizens. Of course, there are entities out there who love the FUD these “revelations” create even if they know that the facts are being grossly misrepresented/misunderstood.