CIA hacking dossier leak reignites debate over vulnerability disclosure

Spy agencies more interested in stockpiling bugs than closing the gaps

WikiLeaks' dump of CIA hacking tool documents on Tuesday has kicked off a debate among security vendors about whether intel agencies are stockpiling vulnerabilities, and the effect this is having on overall security hygiene.

The leaked documents purport to show how the intel agency infiltrates smartphones, PCs, routers, IoT gear, potentially smart TVs, and other gear, using a range of hacking tools, as previously reported. These capabilities are hardly surprising to anyone who remembers the disclosures from former NSA contractor Edward Snowden back in 2013.

The CIA's abilities are more aligned toward targeted attacks rather than mass surveillance and bulk data collection – the stock in trade of the NSA, GCHQ and other signals intelligence agencies.

Still, it means the spy agency has a stockpile of vulnerabilities in hardware and software for a future exploitation, and it is unlikely to share details of these bugs with vendors in case the programming flaws are patched, according to security watchers.

Mikko Hypponen, chief research officer of security software firm F-Secure, commented: "In countries like the US, the intelligence agencies' mission is to keep the citizens of their country safe. The Vault7 leak proves that the CIA had knowledge of iPhone vulnerabilities."

"However, instead of informing Apple, the CIA decided to keep it secret. So the leak tells us a bit about how the CIA decided to use its knowledge: it considered it more important to keep everybody insecure than protecting its citizens from the vulnerability, and maybe use the vulnerability for its own purposes or counter terrorism purposes."

Slawek Ligier, VP of security engineering at Barracuda, argued CIA hacking could be working against its wider national interest.

"If the CIA knows of the specific exploit, chances are that the MI6, FSB, MSS, and Mossad are aware of it as well," Ligier said. "Not working on closing the gap and hoping that we will be the only ones able to exploit it puts all of us at risk. And frankly, the United States has much more to lose through potential industrial espionage than other countries."

Not all experts agree that the CIA is stockpiling vulns. "The government doesn't 'hoard' zero days. It uses zero days, it doesn't have a cache of zero days it isn't using," according to Rob Graham of Errata Security. Graham added that the agency buys rather than finds unpatched vulnerabilities, so critics are actually arguing that the government should spend millions on vulnerabilities in order to disclose them to vendors.

The CIA is yet to either confirm or deny the authenticity of the leak, but former spy agency boss Michael Hayden has decried the release – if confirmed – as "damaging" to the techniques and tactics used by the the CIA to conduct legitimate foreign intelligence, thereby making Western countries less safe. What's been exposed is at least consistent with what we know about the CIA's likely capabilities and experts are taking it seriously.

"The CIA reports show the USG developing vulnerabilities in US products, then intentionally keeping the holes open," said Edward Snowden in a Twitter update. "Reckless beyond words."

Security pundits fear that information exposed in the release will allow cybercriminals and less capable nation states to up the ante.

Richard Henderson, global security strategist at computer forensics outfit Absolute, said: "What's especially scary about the dump, and the exploits behind them, is that it appears the CIA may have lost control of all the tools at their disposal ... meaning that it is entirely likely that all of these exploits, vulnerabilities, tools, and malware are now in the hands of foreign governments or cybercriminals. In fact, the CIA's own documents show that they have been sharing selected exploits to other 'friendly' foreign governments for their own purposes.

"These developments are troubling for many reasons. First, the fact that a government intelligence agency has been actively purchasing, developing, and distributing critical vulnerabilities in ubiquitous consumer devices forces us to ask some very hard questions about the levels of oversight these agencies have right now. Second, this incident makes it crystal clear to me that the government push to mandate or legislate backdoors into devices (which Apple pushed back on recently) can never be successful. These backdoors will leak out into the open, making it entirely likely that agencies not friendly to the West will also take advantage of these vulnerabilities," Henderson warned.

Craig Fagan, policy director at the Web Foundation, said: "Governments should be safeguarding the digital privacy and security of their citizens, but these alleged actions by the CIA do just the opposite. Weaponizing everyday products such as TVs and smartphones – and failing to disclose vulnerabilities to manufacturers – is dangerous and short-sighted. It puts people around the world at risk of attack from hackers and repressive regimes, and this leak itself shows just how likely such tools are to spread beyond the organization that developed them."

Some vendors hoped the release would help spur the development of patches from Apple, Google and other affected vendors.

From Casey Ellis, chief exec and founder of bug bounty outfit Bugcrowd: "In this mix there are the targeted vendors who, before today, were likely unaware of the specific vulnerabilities these exploits were targeting. Right now, the security teams are pulling apart the Wikileaks dump, performing technical analysis, assessing and prioritizing the risk to their products and the people who use them, and instructing the engineering teams towards creating patches.

"The net outcome over the long term is actually a good thing for Internet security – the vulnerabilities that were exploited by these tools will be patched, and the risk to consumers reduced as a result – but for now we are entering yet another Shadow Brokers, Stuxnet, Flame, Duqu, etc, a period of actively exploitable 0-days bouncing around in the wild," Ellis concluded.

Absolute's Henderson added: "I hope that if the technical details of the exploits become more and more in the open, device manufacturers will be quick to respond with updates and remediation steps to protect customers."

Wikileaks, the CIA, and the original exploit authors have combined to provide the same knowledge as the "good old days" of full disclosure – but with far less control and a great many more side-effects than if the vendors were to take the initiative themselves, according to Bugcrowd's Ellis.

"It's only when the pain of doing nothing exceeds the pain of change that the majority of organizations will shift to a proactive vulnerability discovery strategy and the vulnerabilities exploited by these toolkits – and the risk those vulnerabilities create for the Internet – will become less and less common," Ellis concluded. ®

Similar topics

Broader topics

Other stories you might like

  • AMD claims its GPUs beat Nvidia on performance per dollar
    * Terms, conditions, hardware specs and software may vary – a lot

    As a slowdown in PC sales brings down prices for graphics cards, AMD is hoping to win over the market's remaining buyers with a bold, new claim that its latest Radeon cards provide better performance for the dollar than Nvidia's most recent GeForce cards.

    In an image tweeted Monday by AMD's top gaming executive, the chip designer claims its lineup of Radeon RX 6000 cards provide better performance per dollar than competing ones from Nvidia, with all but two of the ten cards listed offering advantages in the double-digit percentages. AMD also claims to provide better performance for the power required by each card in all but two of the cards.

    Continue reading
  • Google opens the pod doors on Bay View campus
    A futuristic design won't make people want to come back – just ask Apple

    After nearly a decade of planning and five years of construction, Google is cutting the ribbon on its Bay View campus, the first that Google itself designed.

    The Bay View campus in Mountain View – slated to open this week – consists of two office buildings (one of which, Charleston East, is still under construction), 20 acres of open space, a 1,000-person event center and 240 short-term accommodations for Google employees. The search giant said the buildings at Bay View total 1.1 million square feet. For reference, that's less than half the size of Apple's spaceship. 

    The roofs on the two main buildings, which look like pavilions roofed in sails, were designed that way for a purpose: They're a network of 90,000 scale-like solar panels nicknamed "dragonscales" for their layout and shimmer. By scaling the tiles, Google said the design minimises damage from wind, rain and snow, and the sloped pavilion-like roof improves solar capture by adding additional curves in the roof. 

    Continue reading
  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading

Biting the hand that feeds IT © 1998–2022