back to article That CIA exploit list in full: The good, the bad, and the very ugly

We're still going through the 8,761 CIA documents published on Tuesday by WikiLeaks for political mischief, although here are some of the highlights. First, though, a few general points: one, there's very little here that should shock you. The CIA is a spying organization, after all, and, yes, it spies on people. Two, unlike …

  1. julian.smith
    FAIL

    Re: Who...

    Citation required .... put up or shut up!

  2. Anonymous Coward
    Anonymous Coward

    WhatsApp / Signal

    I can see how Signal would be safe, you can't screenshot it and it seems to have some pretty robust protection around the app...however, if a phone has been locally compromised (which appears to be the point of these 'sploits) then WhatsApp could easily be compromised since you can screenshot it.

    Also, WhatsApp images are stored in the clear on your phone.

    Am I right?

  3. Pseu Donyme

    Re: WhatsApp / Signal

    I don't think any app is safe against local root access, never mind an exploit that allows running code in kernel mode i.e. unfettered access to the hardware: with these the attacker has access to everything the user has (and more).

  4. Tom Paine Silver badge

    Re: WhatsApp / Signal

    SGX is an attempt to implement privacy from root:

    https://en.wikipedia.org/wiki/Software_Guard_Extensions

    Can't see it working in the real world, myself, and it's already had some flaws discovered:

    https://arxiv.org/abs/1702.08719

    Apologies to whoever/wherever I picked those links up from, I can't remember where it was. El Reg, possibly.

  5. Anonymous Coward
    Anonymous Coward

    Re: WhatsApp / Signal

    If they'd like to show me how to root my new-ish Chinese Doogee phone I'd be very grateful to them. :o)

  6. Anonymous Coward
    Anonymous Coward

    You were right, no surprises

    just disappointment and disillusion caused by the use of politically motivated leaks... and the do as I say, not as I do el president.

    What did they expectafter all ? an inventory of ear trumpets, micro cameras and telescopes?

  7. Anonymous Coward
    Anonymous Coward

    Dunno what to say

    but El Reg did a great job in going through the documents so...

    d(*⌒▽⌒*)b "good job"

    but if this is a single target operation organization, then it's some what expected. If someone is determined to hack the target, it's very like they'll get hacked especially in today's security.

  8. TRT Silver badge

    Re: Dunno what to say

    That comment?

    ಥ_ಥ

  9. regregular

    Question not adressed

    I am not tech savvy enough to look at exploits and figure this one out myself, so here is a question to the editors or knowledgeable readers...

    It is claimed that Wikileaks has not dumped raw this time around, but redacted stuff. One new report also said that the "exploits" aren't, they are just rough descriptions with no code, tools or proof of concept. So, on the surface a responsible thing to do, otherwise every criminal could now use those exploits with minimal effort and research in a fresh incarnation of malware/ransomware.

    What I wonder though, are those released bits enough to let the engineers at the manufacturers figure out what is wrong with their code and fix it? Is this leak going to result (at least with manufacturers who care) in mitigation of those attack vectors or are they just being told "your stuff is exploitable, but you don't know how..." ?

  10. Naselus Silver badge

    Re: Question not adressed

    Depends on the vendor, mostly.

    Quite a few of the exploits rely on already-patched vulnerabilities - so several of the iOS, OSX and Android ones won't work on modern equipment regardless. Others are of questionable value to patch - anything which requires them to actually nick your phone to deploy is unlikely to be considered a high priority, for example.

    Of the remaining ones, Microsoft, Apple, Google, Linux and Cisco are likely to go into patchmode overdrive to clear up actual vulnerabilities of zero-days. High-end phone manufacturers (Sony, Samsung etc) will probably look to implement some fixes too. Some of the leaks are pretty specific (say, the Windows control panel exploit) and so can be patched around. others are vague to the point of useless.

    Lower-end phone manufacturers, mid-range and below models from the big names, and 95% of IoT vendors, on the other hand, are pretty unlikely to do anything either way; as a rule, anything IoT doesn't require any effort whatsoever to hack right now and so is unlikely to see any improvement from this. There's 2 or 3 devices this doesn't apply to (Nest thermostats, Amazon Echo and Google Home, one or two others) but even they are unlikely to be particularly secure and shouldn't be given access to any sensitive information.

    In terms of non-vendor security stuff, we could add extra blocking rules to firewalls and monitor back-end traffic based on some of the information in the leaks, but the odds of the CIA continuing to use any easily-changed stuff (like port numbers or C&C server IPs) after this are basically zero, so any short-term fixing on that score will be obsolete before you read this post.

    On the other hand, unless you're either a high-ranking member of the Russian government or presently running an Al Qaeda cell, you're probably not on the CIA's radar anyway and not likely to be a victim of any of the exploits listed. They don't really care what most people are doing unless it's directly pertinent to a current investigation, and having useless extra data to analyse is generally considered detrimental by most spy agencies.

    There's about 3 billion phone calls made in the USA alone every day. The NSA may be recording them all, but no-one is listening to them for the most part; they use heuristic software (like your antivirus) to try and filter it down to a manageable number for human analysts to look at in real time, but not particularly successfully. I recall at least one senior intelligence official specifically stating that the NSA's mass-tapping program was a waste of time, effort and money that yielded far less useful intel than old-fashioned spy work did, and made the agency complacent on top - it's almost pure security theater with very little benefit. You're just not that interesting to the US government.

  11. Aristotles slow and dimwitted horse Silver badge

    Slightly off topic...

    Apologies for a slightly off-topic post... but can anyone point me to a guide as to how to Wireshark other devices on my LAN via wi-fi. I have W/S on my PC and can see the traffic coming and going from that, but as a previous commentard mentioned I'd like to see what traffic is coming from my TV and other connected devices on my network, and then to ensure that it's all leaving my router encrypted properly via my VPN.

    I have it in promiscuous mode, but I still can't seem to see traffic from other devices - so perhaps I have the method totally wrong?

    Thanks in advance.

  12. hplasm Silver badge
    Boffin

    Re: Slightly off topic...

    You will either need a non-switch hub that you can use to tap the lead from the device of interest; or the switch that it is connected to, if better than base level, would need to support port spanning, that can direct the target's port traffic to your Wireshark PC's port.

    HTH

  13. Anonymous Coward
    Anonymous Coward

    Re: Slightly off topic...

    I just use arpspoof on a linux box to sniff whatever traffic I like:

    echo 1 > /proc/sys/net/ipv4/ip_forward (to activate port forwarding)

    arpspoof -i wlan0 -t <target> <default gateway> -r (to arpspoof both ways).

    Then you just run wireshark. If you want to specifically target HTTP/HTTPS traffic you fire up burpsuite on port 8080 then use an iptables rule to forward all 80/443 traffic to that. Have fun!

  14. Phil Endecott Silver badge

    Re: Slightly off topic...

    > can anyone point me to a guide as to how to Wireshark other

    > devices on my LAN via wi-fi.

    Your switch needs "port morroring".

    I.e. you need an ethernet switch connected to (a) broadband router, (b) wifi acces point, (c) PC, configuured so that port (b) is mirrored to port (c).

    This isn't easy if you have a combined wifi+boradband box, as most people do, unless that has a mirroring feature itself (which it probably doesn't). And the cheapest ethernet switches don't have port mirroring.

    The alternative is to have two network interfaces on your PC, and to make the PC itself a bridge that the data must traverse between the broadband internet connection and the device of interest.

  15. TRT Silver badge

    Re: Slightly off topic...

    If the WiFi Access Point is built in to the final gateway/modem, then you'll have to run a custom firmware/OS on the modem/WAP/switch.

    I've got my devices all separated out so I can control and monitor each step. Meraki Wi-Fi WAP, connects to a switch/vLAN gateway for the wired LAN, switch/vLAN gateway connects to a firewall/NAT, firewall/NAT connects to a DOCSIS3 modem. I can insert a laptop with two ethernet ports in-between any two of the devices and capture all the packets travelling between them. Kind of cumbersome, but I feel it's better than having it all in one "magic box".

  16. Aristotles slow and dimwitted horse Silver badge
    Pint

    Re: Slightly off topic...

    Thanks chaps for all of the responses to my initial query. Very helpful commentards you all are.

    Have a pint on me --->

  17. Anonymous Coward
    Anonymous Coward

    Just like normal developers

    Did anyone notice they are all using Jira + Git for their source control/workflow?

    Also there was a funny bit where someone listed the passwords to their 'test' laptops and then in the comments people are going 'What if security sees this?'. You'd be forgiven for thinking it was a leak from some random company's intranet, not the CIA.

  18. Digitall
    Black Helicopters

    That CIA exploit list in full?

    As previously mentioned, Linux and derivatives have not been mentioned due to the CIA using Linux as their base OS..as if they would show the exploits to compromise themselves!

    Thus in itself would be a backdoor to the CIA ..no?

  19. Tom Paine Silver badge

    Re: That CIA exploit list in full?

    You are mistaken. For a start, there are mentions of Linux exploits.

  20. EvadingGrid

    Re: That CIA exploit list in full?

    This is what happens when you rely on reporting, instead of looking for yourself. Most of the Linux docs are instructions for n00b windows gurus to do simple stuff using Linux. The only exploits I've found so far assume the user is to thick to look in /var/log or notice the mysterious extra .config file.... RTFwikileaks.

  21. John Smith 19 Gold badge
    Coat

    UMBRAGE?

    Does that make the Team Leaders code name "Dolores"?

  22. Aladdin Sane Silver badge

    Re: UMBRAGE?

    Who'd've thunk that a bunch of nerds would be so geeky.

  23. Allonymous Coward
    Big Brother

    What depresses me about all this

    Is the fact that, once again, Richard Stallman has been shown to be right instead of just a toejam-eating, tinfoil-hat-wearing nutcase.

  24. wolfetone Silver badge

    RE: toejam-eating

    Oh come on! I was nearly free of the image of seeing him do that. Thanks for refreshing that particular memory.

  25. Kiwi
    Linux

    Re: What depresses me about all this

    Is the fact that, once again, Richard Stallman has been shown to be right instead of just a toejam-eating, tinfoil-hat-wearing nutcase.

    So.. And please note that I am a fan of Linux and get great pleasure at deriding the crapfest that is windoze, and while I respect at least some of what RS has tried to do for the computer users of the world and for those of us who use free software..

    But I have to ask.. Is he "proven right" when he "developed" the software we erroneously call "Linux"? I thought that was some guy named Linus or something like that in the 90's but I guess I could be wrong, and I quote : "I gave this system the name GNU. (You have probably heard people call it “Linux”, but that's an error.).

    Stuff like this undermines otherwise good work. Perhaps his reputation as a bit of a nutter is somewhat earned? Am I missing something here?

  26. Winkypop Silver badge
    Joke

    I got spied on once....

    ....CIA said I was too boring, so moved on to the Hamdani's next door.

  27. Archtech Silver badge

    "Nothing to see here, folks, move along..."

    I know the CIA has made a practice of handing complete articles to the media and having them published as if independently written. But I didn't know The Register participated in the program.

    "First, though, a few general points: one, there's very little here that should shock you. The CIA is a spying organization, after all, and, yes, it spies on people".

    So there's nothing to see here, move along people, nothing to worry about. Just your government doing its job as usual.

    Of course, dirty lousy Russian fink spying is a rotten trick that we should all abhor. But good ol' American spying is, well, just what you should expect.

    It's amusing to note that the CIA apparently has "five main directorates" - just like the KGB in all those thriller novels and movies.

  28. Tom Paine Silver badge

    Re: "Nothing to see here, folks, move along..."

    So there's nothing to see here, move along people, nothing to worry about. Just your government doing its job as usual.

    Of course, dirty lousy Russian fink spying is a rotten trick that we should all abhor. But good ol' American spying is, well, just what you should expect.

    Yes, that's right, except that you should expect Russia to hack in pursuit of intelligence as well. Nothing controversial in that. What the US and EU are getting upset about are active information warfare operations designed to influence domestic politics. I can see both sides on that; the US, I'm sure, would love to be rid of Putin and might well be doing things to try to hasten that day, but Putin's Russia is (1) an adversary and (2) not a liberal democracy. If there was evidence the CIA were trying to influence, say, domestic UK politics in a significant way, there'd be an uproar, and rightly so.

  29. Anonymous Coward
    Anonymous Coward

    Re: "CIA evidence influencing domestic UK politicks..."

    as if! https://en.wikipedia.org/wiki/The_Atlantic_Bridge

    quote: A 2010 report by the Charity Commission ruled that it was "not evident that [The_Atlantic_Bridge] had advanced education" and "may lead members of the public to call into question its independence from party politics". It was ordered to enact a 12-month review to bring it into line with its charitable objectives. On 30 September 2011, The Atlantic Bridge was dissolved by its trustees.

    The 'old' guardian mentioned this additional high-level group of non-transparent influenced politicos etc

    https://www.theguardian.com/world/2004/nov/06/usa.politics1

    quote: US news, Friends in high places

    You won't have heard of the British-American Project, but its members include some of the most powerful men and women in the UK. Officially it exists to promote the 'special relationship', but it has been described as a Trojan horse for US foreign policy. Even its supporters joke that it's funded by the CIA. Should we be worried? Andy Beckett reports Saturday 6th November 2004

    "Mo Mowlam ... Chris Smith ... Peter Mandelson ... Baroness Symons ... George Robertson ... Jonathan Powell ... Geoff Mulgan ... Matthew Taylor ... // ...James Naughtie and Jeremy Paxman " etc

    On the wider media fringes, can find loads more 'open source evidence,' possibly including https://en.wikipedia.org/wiki/Kennedy_Scholarship

    just look at some of those 'useful idiots' on that list - some of them still try to influence domestic UK politics, allegedly.

    polyticks = many, evil blood-sucking insects

  30. Archtech Silver badge

    Re: "Nothing to see here, folks, move along..."

    "What the US and EU are getting upset about are active information warfare operations designed to influence domestic politics".

    Well, in that case they should tell the CIA and NSA to stop doing it.

  31. WatAWorld

    Re: "Nothing to see here, folks, move along..."

    "I know the CIA has made a practice of handing complete articles to the media and having them published as if independently written. But I didn't know The Register participated in the program."

    I wonder if they'll be resignations over this at The Reg.

  32. Uffish

    Re: "Nothing to see here, folks, move along..."

    @ Tom Paine, you wrote:-

    "If there was evidence the CIA were trying to influence, say, domestic UK politics in a significant way, there'd be an uproar, and rightly so."

    My personal belief, without any proof, is that the USA has influenced UK domestic politics and there wasn't an uproar. Mind you, they are usually very good about not leaving evidence.

  33. Pseu Donyme

    I'll have to object to the idea (a tautology, really) that being a spy organization legitimizes spying: in civilized countries this is illegal without a warrant (for a good reason). Moreover, a spy organization operating outside its native country / jurisdiction cannot legitimately have such a warrant.

  34. Tom Paine Silver badge

    Of course Country B's laws won't allow Country A to spy on it, but Country A's laws certainly allow them to spy on Country B, and vice versa. Not sure what point you're trying to make here. Espionage and intelligence are a Bad Thing and unsporting, and gentlemen should never do it? If so, I'm sorry but that ship sailed many centuries ago.

  35. Naselus Silver badge

    ...ish.

    While, in theory, spying is illegal, in practice it's tolerated because otherwise it makes diplomacy almost impossible. In international relations, having some level of espionage is considered sort of polite; it shows you take an interest in what your neighbour's up to and his culture. Plus, because it's still theoretically illegal, it gives you someone to expel if you want to make a diplomatic statement - which is why during the cold war the US or USSR could always conjure up 70+ spies to expel when the other pissed them off. They already knew they were there, but were tolerated because not spying on each other obsessively would cause the odds of nuclear war to go up.

  36. Aladdin Sane Silver badge

    Besides, if you know somebody's a spy then you keep them around, otherwise they'll be replaced by somebody who may not be a spy.

  37. Archtech Silver badge

    Country A = USA

    We were talking about Country A (i.e. the USA) being spied on by its own "intelligence agencies" (aka "criminal enterprises"). And not being able to do anything about it, because:

    1. The American voter has no influence whatsoever over either the President or Congress;

    2. Neither the President nor Congress has any influence whatsoever over the alphabet soup;

    3. If any mere politician (or anyone else) looks like being too much of a nuisance, the agencies just kill them. (Cf both Kennedys, MLK, etc. etc.)

  38. Christoph Silver badge

    "Hacking devices this way is fraught with risk and cost"

    Not if the target goes through an airport and has their phone taken away and compromised.

  39. Anonymous Coward
    Anonymous Coward

    Not sure where Intelligence is lower

    The news from WikiLeaks is not that the CIA spies but what they are using to do it. I'm not sure why so many commentards seem to think this proves Obama didn't spy on Trump but then, from what they are saying, it seems like they think Obama's apparent penchant for annoying President Putin and the Russians is fully justified because Obama said Trump was talking to the Russians before he became President.

    Since the alternative is NOT talking to the Russians (who, coincidentally, have more nukes than anyone else) which would almost certainly feed their alleged paranoia and distrust of (Obama's) America, I am not quite sure what would be gained by following the sentiments displayed by most of the people here.

    Honestly, trying to discuss whether or not the Alphabet Soup mobs should be spying on their own citizens (regardless of exactly how they are doing it, and doing it through the other '5 Eyes' nations as proxies is no different than doing it themselves if you stop and think about it) is getting to be like trying to hold an intelligent conversation about non-manmade global warming or the UK leaving the EU without having some idiot start shouting to cover for the fact they have no real evidence to back up their claims.

  40. Anonymous Coward
    Anonymous Coward

    Finally, a valid use case for smart meters

    Finally, a valid use case for smart meters. The real-time power usage monitor will tell me when the CIA is secretly turning on my TV.

    Unless they're fiddling my smart meter readings too of course. Am I just the right amount of paranoid, or not paranoid enough?

  41. regregular

    Re: Finally, a valid use case for smart meters

    Curiosity: knowing if/when they eavesdrop

    Paranoia: Switchable power outlet to cut all power to device when not in use. For good measure, opening up the device and drilling out or unsoldering microphone / camera. That is paranoia.

  42. Anonymous Coward
    Anonymous Coward

    Re: Finally, a valid use case for smart meters

    > Paranoia: Switchable power outlet to cut all power to device when not in use.

    Errr... sound more like an effective way to manage power use?

  43. Haefen

    Democracy has ended

    To have functioning democracy the citizenry must be informed, the government transparent, and voters free from manipulation, fear, and government reprisals. None of that is possible in the 21st century, where any or all citizens can be covertly targeted for total surveillance, even eliminated leaving no evidence if required. Where China is the success story and Russia is showing the world the way forward for what is still being called democracy. Where even the President of the U.S.A. has the power to drone kill American citizens without due process and has indeed drone killed American citizens without due process and the MSM dutifully reported that new power as nothing to worry about. .

    With nations ignoring the interests of their citizens with trade and immigration policies, transferring ever larger tax loads unto individuals, giving the wealthy open access to State coffers, and failing to protect all cultures equally what is a concerned citizen to do?

    When peaceful revolution is made impossible.

  44. Archtech Silver badge

    Re: Democracy has ended

    "To have functioning democracy the citizenry must be informed, the government transparent, and voters free from manipulation, fear, and government reprisals..."

    Hahahahahahahahahahaha! I thought we were discussing the USA - why have you suddenly switched to Russia?

    As for the USA, it's been ready for the proverbial fork for a few decades now.

    https://www.amazon.co.uk/GOVERNMENT-WOLVES-JOHN-W-WHITEHEAD/dp/1590799755

    https://www.amazon.co.uk/CIA-Organized-Crime-Illegal-Operations/dp/0997287012

    https://www.amazon.co.uk/Devils-Chessboard-Dulles-Americas-Government/dp/0008159661

    https://www.amazon.co.uk/Brothers-Stephen-Kinzer/dp/1250053129

  45. Haefen

    Re: Democracy has ended

    "Hahahahahahahahahahaha! I thought we were discussing the USA - why have you suddenly switched to Russia?"

    Maybe because the USA gazed too long into the abyss but as this story and your links tell us the reasons matter little. The "Democratic" West has become a monster, become the very things those before us fought against. And all we had to do to avoid this monster was to protect their vision of our future, to speak up and protect the rights we had.

    Now we are fighting a 5 eyed monster that is far more powerful than they could have ever imagined.

    Interesting times.

  46. Zmodem

    thats all well and good unless you have zonealarm on your windows, its still british and won't take no CIA money like PGP

  47. Robert D Bank

    Targetting

    I expect by far the greatest use of any of these exploits is for gaining advantage in international trade or other negotiations, for corporate commercial advantage and to some extent criminal and terrorist tracking, in that order. And by the above I wouldn't align this to any particular state, there are those that happily sit way above that level that feed off this.

    May their pubes catch on fire.

  48. SamuraiMark

    "The President's pet news outlet Breitbart"

    Other way round, no?

  49. PTW
    Flame

    Dear el Reg,

    How about you stick to reporting tech news?

    The subject is tech, the political bias in this piece is just bullshit, it's not a six form common room!

    I really feel for your hacks that failed to be hired by the HuffPo, or The Indy but here really isn't the place.

    Caveat - This may have been said previously in the thread but it was TL;DR

    I want the old Reg back.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018