Tech giants Apple and Samsung probe WikiLeaks smart spy claims

8 Mar 2017

Weeping angel. Image: mbolina/Shutterstock

Major tech companies are investigating revelations in WikiLeaks documents that claim CIA spies can snoop on smartphones and smart TVs.

Apple, Samsung and Microsoft are probing the latest trove of WikiLeaks documents, after claims were made that CIA spies can snoop on smartphones and smart TVs.

The store, dubbed ‘Vault7’, consists of 8,761 individual documents created between 2014 and 2016, which found their way out of the CIA servers and into the hands of WikiLeaks.

‘Expect to see a lot of software patches from Microsoft, Apple, Android etc in coming weeks’

In what is understood to be the biggest reveal since Edward Snowden blew the whistle on the NSA’s mass surveillance activities, the documents point to a vast armoury of cyber weapons that allow spies to snoop on any device they wish, from iOS devices to Android phones, Windows machines and more.

The documents claim, for example, that through a set of exploits code-named ‘Weeping Angel’, a Samsung smart TV can be used to act as a kind of bug that records conversations in a room and then sends them to a CIA server via the internet.

The angels are weeping

WikiLeaks claimed that the attack against Samsung smart TVs was developed in cooperation with the UK’s MI5/BTSS. Weeping Angel places the target TV in a ‘fake-off’ mode so that the owner falsely believes the TV is off when it’s not.

In the case of Apple, it is alleged that the CIA has created methods for malware, zero-day exploits and the ability to hack iOS, Android, Windows, macOS and Linux devices.

‘We are aware of the report in question and are urgently looking into the matter’

Not only that, but the documents point to collaboration between the CIA and agencies such as GCHQ to bypass the encryption on apps such as WhatsApp, Telegram and Signal.

In the last two years, Apple CEO Tim Cook has upheld a brave and passionate defence of encryption on Apple devices, despite pressure from the FBI to put a backdoor in place.

Samsung has confirmed it is investigating the claims made by WikiLeaks.

“Protecting consumers’ privacy and the security of our devices is a top priority at Samsung,” the company said in a statement.

“We are aware of the report in question and are urgently looking into the matter.”

Apple said that its latest iOS operating system, iOS 10.2.1, already fixes the vulnerabilities suggested in the WikiLeaks documents.

“While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities,” Apple said.

“We always urge customers to download the latest iOS to make sure they have the most recent security updates.”

Software giant Microsoft said it is aware of the report and is also investigating the matter.

How credible is the WikiLeaks Vault7 trove?

Various security experts believe the WikiLeaks documents to be genuine.

“The material certainly seems credible in terms of being a leak from a well-resourced government level agency such as the CIA,” said Dermot Williams of Threatscape.

‘Unfortunately, US government computer systems, policies and procedures are largely outdated in today’s hostile world of connected technologies’

“This is supposedly just the first of multiple tranches of CIA data that WikiLeaks will be releasing, though they comment that today’s release is more than the first three years of Snowden-related disclosures.

“The political angles are possibly as interesting as the technical. The NSA are supposed to be the technical big dogs when it comes to three-letter agencies in the USA, but it seems the CIA didn’t like having to tell the NSA what they were working on and who their targets were whenever they needed to ask for their help in hacking someone, so they instead invested what must have been a lot of money into developing their own technical capabilities. So, lots of inter-agency mistrust and rivalry going on.

“If rumours are true that this trove of CIA info has been doing the rounds for a while before landing on WikiLeaks’ lap, we can only assume that at least a few bad actors have managed to get their hands on it – and might already be exploiting the ‘motherload’ of vulnerabilities it presents. Expect to see a lot of software patches from Microsoft, Apple, Android etc in coming weeks.”

Graham Cluley of Cluley Associates is dubious about the capabilities of the documents, and said that people should not be misled by claims that the CIA has zero-day vulnerabilities it can use to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman.

“Instead, it appears that WikiLeaks is merely referring to the CIA’s ability to infect smartphones with spyware that can record conversations and keystrokes,” Cluley said.

“No-one wants to be snooped on in that way, of course, but it’s a very different prospect from secure apps like Signal being found to contain a fundamental weakness.

“If an unauthorised party has physical access to your computer or mobile device, then all bets are off. Of course, they could install spyware onto it.”

Cluley also debunked the idea that Samsung TVs are being converted into spying devices.

“‘Weeping Angel’, named after a terrifying Doctor Who monster that you really shouldn’t blink at, is installed via a USB stick.

“If you’re worried about the prospect of an intelligence agency breaking into your home in order to plug a malicious USB stick into the back of your Samsung smart TV, then I’d argue you probably should also be worrying that intelligence agencies are breaking into your house full stop.”

Mike Ahmadi, global director of critical systems security at Synopsys, said that the heart of the issue is the CIA’s own vulnerability, in terms of data getting offsite.

“Unfortunately, US government computer systems, policies and procedures are largely outdated in today’s hostile world of connected technologies.

“The moment anything with either external connectivity or mobility (eg a USB memory stick) gets near such systems, the game is over.  The software running on legacy government computer systems is so fraught with vulnerabilities that any level of access creates the potential for a security breach.

“The government needs to take a closer look at their exposure if they hope to defend against what is becoming an embarrassing regular occurrence,” Ahmadi said.

Brian Vecci, technical evangelist with Varonis, agrees. “In performing forensics on the actual breach, the important examination is to determine how 8,761 files just walked out of one of the most secretive and confidential organisations in the world. Files that were once useful in their operations are suddenly lethal to those same operations.

“We call this toxic data; anything that is useful and valuable to an organisation but once stolen and made public, turns toxic to its bottom line and reputation. All you have to do is look at Sony, Mossack Fonseca and the DNC to see the effects of this toxic data conversion.”

Whatever way you look at it, the genie is out of the bottle and, as Williams said, you can expect many device makers and app providers to be issuing updates in the days and weeks ahead.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years