The Google Nexus was one of many Android devices targeted by the CIA, according to Wikileaks files released Tuesday. (Photo by Justin Sullivan/Getty Images)
It’s been less than 24 hours since Wikileaks released files it claims contain information on the myriad tools used by the Central Intelligence Agency (CIA) used to hack and surveil Android cellphones, as well as iPhones, TVs, cars and more. Google is yet to officially comment, but Forbes understands the company’s researchers are busy scouring the 8,000-page data dump as they try to determine if they need to get working on patches.
It’s not yet clear how bad the damage is. Exacerbating Google’s pain is the knowledge that any triage and subsequent patching will be extraordinarily difficult, given the lack of any code showing just where weaknesses lie. So whilst the Wikileaks release has made it apparent there are multiple, possibly previously-unknown vulnerabilities (known as zero-days) that now need fixing, Google staff have few leads to go on.
Alongside exploits for Apple’s iOS, there are many named CIA Mobile Device Branch tools specifically for breaking Android security with little detail on how they might work. For instance, there are at least 10 remote code execution bugs, the most critical weaknesses where a hacker can run malicious code from anywhere on the planet. There’s the BaronSamedi hack, which targeted a specific code library that Google can at least investigate. Then there’s the EggsMayhem hack created by the NSA and GCHQ that appears to target the Chrome browser. Or the Dragonfly attack, for which there’s next to no information available. Going right to the heart of Android, there’s an exploit called Sulfur for the operating system’s kernel to force it into leaking information, affecting versions 3.10 and later.
There’s slightly more comprehensive information on a tool called RoidRage, a malware that appears to allow some remote control over Android devices. Alongside descriptions of some of its tools, the CIA also named specific cellphones they targeted, including Google Nexus and Samsung models, like the S5 and the Note 3.
Michael Shaulov, head of mobile security at Check Point, told Forbes that having looked through the files he believes there are multiple Android zero-days in the Wikileaks dump, though there’s no evidence of any exploits affecting versions after 4.4 (the latest is Android 7, also known as Nougat). “On Android there are a couple of dozen exploits that they’ll need to manage,” he said.
But Google will have a tough time not only determining which bugs it can patch, but then disseminating those fixes across all Android devices. “There’s no starting point for vendors for where they need to patch or what exactly they patch here.”
“From our experience when you do responsible disclosures on Android, even when you try to do it the proper way, it’s very difficult [to disseminate patches],” Shaulov said. “There’s a 25 per cent probability things will go wrong.”
He believes the CIA has more up-to-date exploits, even if they’re not in the Wikileaks files. “Clearly this is fresh information, but it’s probably a snapshot of Q1 or Q2 2016,” Shaulov added.
Paying for Android vulnerabilities
Android security expert at CloudFlare, Tim Strazzere, said the more interesting aspect of the Wikileaks release was the number of exploits the CIA purchased. Such vulnerabilities can fetch upwards of $1 million per bug, though only iOS hacks have been known to cost so much. As with Apple’s OS, the CIA ostensibly used codenames for its cyberarms dealers, including Anglerfish and Fangtooth, or just simply called them a partner.
“The bulk are bought, and bought from one source,” he said. “One could assume everyone else has also bought these.” The implication from Strazzere is that the CIA has access to the same Android attack code as other government buyer around the world.
Those exploit dealers operate largely in secret and sell globally. Outside of independent hackers, companies like Israel’s NSO Group, Washington D.C.-based Zerodium, and Austin’s Exodus Intelligence all focus on finding and selling hacks of widely-used software. None had offered comment at the time of publication.
The world’s most famous leaker, Edward Snowden, on Tuesday voiced what many digital rights activists feel about the market and the government’s investment in it, writing on Twitter: “The CIA reports show the [U.S. government] developing vulnerabilities in U.S. products, then intentionally keeping the holes open. Reckless beyond words.”
Evidence mounts showing CIA & FBI knew about catastrophic weaknesses in the most-used smartphones in America, but kept them open — to spy. https://t.co/mDyVred3H8
— Edward Snowden (@Snowden) March 7, 2017
Got a tip? Email at TFox-Brewster@forbes.com or firstname.lastname@example.org for PGP mail. Get me on Signal on +447837496820 or email@example.com on Jabber for encrypted chat.