Earlier today, Wikileaks dumped a large database of secret documents from the CIA in a released dubbed #Vault7. Here we do a deeper analysis of the leak and the broader implications on online security and encrypted services.
Our in-depth analysis of the leaked CIA files is found at the bottom of this post. First, we will discuss the main question on everybody’s mind – how are encrypted services like ProtonMail impacted, and what insights did we gain into the strategies of state-backed attackers.
No, Encryption Is Not Dead
Immediately after the news broke, stories began circulating, along the lines of “Signal/Whatsapp encryption broken!”, fueled in part by Tweets put out by Wikileaks. This was followed predictably by online chatter speculating into whether or not ProtonMail had been cracked.
We can state unequivocally that there is nothing in the leaked CIA files which indicates any sort of crack of ProtonMail’s encryption. And despite claims to the contrary, there is also no evidence that Signal/Whatsapp end-to-end encryption has been breached. Here’s what we do know:
Over the past three years, the CIA has put together a formidable arsenal of cyberweapons specially designed to gain surveillance capabilities over end-user devices such as mobile phones and laptop/desktop computers. These advanced malwares enable the CIA to record actions such as keystrokes on a mobile device, allowing them to conduct surveillance without breaking encryption. Through this technique, US intelligence agencies can gain access to data before they have been encrypted. This is in fact the only way to achieve data access, because cracking the cryptography used in advanced secure communication services such as ProtonMail and Signal is still impractical with current technology.
In other words, the core cryptographic algorithms and techniques used by ProtonMail and other encrypted services remain secure. The exploitation of user endpoints (mobile phones, personal computers, etc) is actually not a new technique, but one that has existed since the first malware was created. This unfortunately is not something that cryptography is designed to defend against, as encryption by itself cannot guarantee the security of end-user devices. What the CIA files dumped by Wikileaks do reveal however, is a significant shift in strategy since the last disclosure of this kind was made by Edward Snowden in 2013.
State-backed Cyberattack Strategy is Changing
ProtonMail is tool that is used by millions of people around the world to ensure email communications security. In addition to ordinary people and businesses, ProtonMail is also used by journalists, activists, and dissidents, who often require protection from government surveillance for their personal safety. Because of these factors, we make it our business to carefully study and understand state adversaries in order to better protect our userbase.
The Wikileaks CIA files is therefore, a comprehensive update into state cyberwarfare strategies since Snowden gave us the first edition. In fact, the trends that the files reveal are arguably global, since it is highly probable that other major players in this space (Russia, China, UK, Israel, etc) will have independently reached the same conclusions regarding overall strategy.
Some of the most interesting revelations from the Snowden leaks was the extent in which the NSA actively sought out information from the US tech giants, either with consent, or even without consent. This made a lot of sense, because the biggest global databases of sensitive personal data do not belong to the NSA, but actually to companies like Google and Facebook, who have already shown ample willingness to exploit such data for profit, sometimes via unscrupulous means.
Since 2013 however, the world has changed. Consumer and business awareness of online privacy and security is at an all time high, and more and more people around the world are increasingly choosing more secure services which respect privacy. Today, end-to-end encryption has gone mainstream, and services such as ProtonMail and Whatsapp boast millions of regular people as users. The use of end-to-end encryption means services such as ProtonMail are not actually able to decrypt user data. Even if we wanted to compromise user data, we do not have the technical means to decrypt the user emails. Furthermore, even if an attacker breached ProtonMail servers, all the emails stored on our servers are encrypted, so an attacker also would not be able to read user emails.
It’s clear from the leaked CIA documents that as the world has changed, stated-backed cyberattackers have also evolved. As we describe below, the varied leaked files are tied together by a common thread – an almost singular focus on producing malware to attack end-user devices. This is a logical response to the rise of end-to-end encrypted services such as ProtonMail. Services such as ProtonMail have significantly raised the barrier for obtaining data directly from the service provider, and many services are now based outside of the United States, beyond the reach of legal coercion. As such, it has now become easier, and more productive to directly hack individual users.
This opens up a terrifying new narrative where government spies are actively deploying viruses and trojans against their own citizens, joining the ranks of common cybercriminals. While this is by no means good news for privacy rights worldwide, it is in some ways, a win for privacy tech, because governments are having to shift away from mass surveillance and towards more targeted surveillance. In short, services such as ProtonMail are doing exactly what they were designed to do, which is raising barriers to large scale mass surveillance.
Our initial analysis into the Wikileaks CIA documents can be found below. Questions can be directed to firstname.lastname@example.org. If you would like to start benefiting from secure email, you can get a free ProtonMail account here.
The ProtonMail Team
ProtonMail Analysis of Wikileaks CIA Documents
#Vault7 in a sentence: It is a leak about the CIA’s hacking arsenal used against foreign governments and citizens both domestically and abroad.
Name of the database: Vault7. It is the first part in a series of leaks titled Year Zero.
Origin: Allegedly from the CIA’s Center for Cyber Intelligence unit in Langley, Virginia USA
Volume: 7,818 web pages with 943 attachments. According to Wikileaks, the entire archive of CIA material consists of several hundred million lines of computer code. Estimated to be bigger than the Snowden leaks (unconfirmed).
Dates of documents: from the time Snowden left the intelligence community till 2016. 2013-2016.
Intention: the source of the information told WikiLeaks in a statement that they wish to initiate a public debate about the “security, creation, use, proliferation and democratic control of cyber weapons.”
How is it different from the Snowden leaks: Snowden leaks exposed the NSA and its techniques of blanket surveillance on citizens and governments around the world. Vault7, on the other hand, exposes the CIA and what technologies it uses in cyber warfare against foreign governments as well as against targeted individuals.
What did we learn so far?
As we are examining the documents, we have identified that the leak concerns the CIA and what cyber weapons it uses. Over the next weeks we will continue to verify and update the information. Below is what we know so far about the programs used by the CIA, legality of the operations, and what this means for your privacy and security.
Germany is the CIA’s European Spybase
It was disclosed that the American consulate in Frankfurt is the main base for CIA hackers in Europe. This certainly raises some interesting questions, because it is highly unlikely that the CIA could run a major spy operation out of Frankfurt without German authorities being aware of it. Although it is not confirmed (and likely never will be), it is most probable that German authorities were in on it, and perhaps even actively participating as part of the Fourteen-Eyes program. It does call in question whether it is appropriate for a EU member state to authorize spying of EU citizens by a foreign power.
Programs used by the CIA
Weeping Angel – It is a program that transforms the microphones of smart TVs into surveillance tools. By manipulating the hardware, CIA hackers are able to turn on people’s smart TVs and listen to users’ conversations. In effect, Weeping Angel transforms smart TVs into bugs.
Our team quickly drew parallels between Weeping Angel and other surveillance tools described by Snowden. Weeping Angel is a technique that bears close resemblance to Nosey Smurf, a tool used by UK’s GCHQ to turn on a phone’s microphone and use it for audio surveillance. While Tracker Smurf – is a geo-location tool that offers a more accurate method of locating a phone and its carrier than using triangulation.
Zero day – Refers to a general type of vulnerability used by the CIA against any adversary’s device. WikiLeaks reports that Zero Day have been primarily used against companies in industrial espionage. In 2013, Snowden, also, revealed that the NSA was committing industrial espionage against Brazilian, Russian and European oil companies, banks, airlines and trade delegations. According to Vault7, the program produced over “a thousand hacking systems, trojans, viruses, and other “weaponized” malware.”
Hive is a multi-platform CIA malware suite that can be specifically utilized against states. “The project provides customizable implants for Windows, Solaris, MikroTik (used in internet routers) and Linux platforms and a Listening Post (LP)/Command and Control (C2) infrastructure to communicate with these implants.”
There are many parallels between Hive and Zero Day and the 2010 Stuxnet virus that attacked and infected the Iranian Nuclear program. Although no state took responsibility for the attack in 2010, Stuxnet has been linked by political pundits to American and Israeli surveillance and intelligence agencies due to its degree of sophistication.
Vault7 also reveals that the CIA has developed advanced capabilities for hacking mobile phones. The leaks show that the agency developed and used its tool to primarily control mobile phones and then extract data from them.
CIA’s Mobile Development Branch produces malware to pull data from iPhones and other Apple products running iOS, such as iPads. MDB also targets Android OS which is a much popular system than iOS and is the default operating system for the majority of smartphones including Sony, Samsung and Google Pixel. “Year Zero” shows that as of 2016 the CIA had 24 “weaponized” Android “zero days” which it has developed itself and obtained from GCHQ, NSA and cyber arms contractors.
Framing other governments
We were alarmed by the discovery of a tool that allows the CIA to potentially frame foreign governments for its cyber warfare acts. It works as follows. Imagine that each government or a hacking group has its own signature move or malicious software or a combination of both that it uses to attack its targets. After a while, whenever an attack occurs, it can be linked to to group based on that fingerprint.
WikiLeaks reports that a program ran by its Remote Devices Branch called UMBRAGE “collects and stores an extensive library of attack techniques”. According to Vault7, amassed techniques include those that are frequently used by Russia.
Some of the techniques currently at CIA’s disposal via UMBRAGE include: keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.
Vault7 reveals that the CIA has also produced rules on how its malware should be hidden when deployed to avoid any fingerprints leading back to the US or the agency.
Was this legal?
Preliminary findings reveal that the CIA had known about and enhanced the dissemination of these tools. In fact, according to WikiLeaks, the agency wanted the programs to be legal so that agents or CIA sponsored hackers can operate with full impunity.
According to Vault7, if ‘CIA software was classified then officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. As a result- “the CIA has secretly made most of its cyber spying/war code unclassified”. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution. This means that cyber ‘arms’ manufacturers and computer hackers can freely “pirate” these ‘weapons’ if they are obtained. The CIA has primarily had to rely on obfuscation to protect its malware secret.
Why is this critical?
While we are still mapping the dangers of such findings and capabilities, some conclusions are clear.
- The CIA can frame other governments
By using Hive and zero days, the US can wage a cyber attack against a nation state while purposefully leaving behind a trace that leads to another state. As governments around the world migrate their infrastructure control to cyber space – any cyber attack can have a devastating effect if targeted against hospitals, power plants or telecommunications providers.
- CIA backdoors can be exploited by others
When the CIA undermines a service or a device, it creates the backdoor that can be abused by other parties. With the agency’s newly revealed tools, everything people do or say around their phones and TV’s can create a very revealing and intimate picture of people’s lives.