Last year we discussed the discovery of Pegasus, the most sophisticated cyber espionage tool ever discovered in the wild, and how it had been used by a nation state against an individual by attempting to compromise his iPhone. We knew that this wasn’t the only tool out there, or the only government engaging in this type of warfare. Now we have further proof, and some advice on how you can protect yourself and your organization.
WikiLeaks just revealed a multi-part project on the CIA that they call “Vault 7”. The first installment, “Year Zero”, is a TL;DR batch of 8,761 documents and files that demonstrates the Agency takes its job of spying very seriously. It should come as no surprise that the CIA has developed and/or acquired a vast arsenal of cyber espionage tools to perform their information gathering activities. In this blog, I have no intention of discussing the legality, morality or necessity of their activities and methods. However, there are a couple of important takeaways for individuals and organizations interested in mobile security.
First is to take a very objective look at what was disclosed, information that most who have given this any real thought have assumed all along about the government agency, so we can only be impressed by the volume of tools amassed at their disposal. Although there may be legitimate national security reasons to do so, let’s first recognize that in certain respects…
The CIA behaves like a malicious hacker, not like a security company.
- When security companies, like Skycure, discover a vulnerability, they bring it to the developer and work with them to get it patched. This approach makes everyone safer from hackers and cybercriminals.
- When malicious hackers (and the CIA) discover a vulnerability, they keep it to themselves and develop tools to exploit that vulnerability for their own purposes. This approach puts our personal privacy and organizational data at greater risk, since the CIA is not the only entity looking for and exploiting these vulnerabilities.
This is not a value judgment, but rather a statement of fact, which means that we must understand that there are always going to be vulnerabilities in our mobile devices that have not been disclosed and patched, and there are weaponized tools ready to be used against these vulnerabilities today.
This brings me to the second takeaway, which is that…
Defense solutions must be as sophisticated and effective as the tools they defend against.
- Mobile Threat Defense solutions must assume that the the worst threats are not to be found in databases, so they must have the ability to recognize and defeat deep and covert infiltrations.
- Cyber espionage tools depend on stealth and the idea that security software (and the user) will be unable to differentiate between its malicious code/methods and those that are standard and built into the device.
- Crowd-sourced intelligence, in combination with on-device anomaly detection, is an essential element to defeat many of the subtle and clever methods that are unrecognizable as malicious when relying on the observations of only a single device.
This first dump of data on the CIA cyber espionage program indicates that the CIA has no less than 24 weaponized zero days, just for Android alone. A zero day is an exploit that leverages one or more undisclosed or un-patched vulnerabilities, such that security solutions relying primarily on databases of vulnerabilities and known exploits will fail to identify it or protect against it.
Here are a few interesting examples pulled from the Year Zero dump:
- Cadmium, a zero-day vulnerability in Samsung bootloaders, that allows the attack to load an unsigned boot image. Galaxy S6 is mentioned, other devices might be vulnerable too.
- Abusing the Captive Portal mechanism for gaining code execution: one of the methods used was to set up a rogue access point with a malicious captive login page. The malicious page would then, using exploits, gain code execution on iOS devices.
- A tool named “Flameskimmer” used to exploit Broadcom WiFi chipsets, a Galaxy Note 4 is given as an example.
So what can be done to defend against these threats? As I said above, a defense solution must be in place to provide the real-time intelligence about what is happening on the device, in the apps or on the networks used for communication. The solution must be sophisticated and not rely entirely on databases of known threats. Effective defense requires a deep understanding of the mobile operating systems and the methods of infiltration and exploitation.
Skycure Research is 100% focused on staying ahead of hackers by thinking the way they do to defend against their methods, and the Skycure solution is designed exactly for this purpose. While the full details of the many exploits were not published, the methods described or implied are ones that would be detected by Skycure’s multi-layer approach to detecting threats, uniquely leveraging our real-time access to essential global data.