Having just spent much of the day browsing through Wikileaks’ latest batch of documents from the intelligence community — in which government agents discussed ways to circumvent mobile encryption and to listen in on conversations near smart devices including smart TVs — it’s clear that government agents have long had the ability to grab mobile content before it’s encrypted.
Some of the tactics have names that are quite explicit about their function, such as a TV mode called “TV Fake-Off.” These docs provide a fascinating look into the government teams that are emulating cyberthieves, trying to improve on their techniques rather than thwart them.
Personal security products (PSP) “sandboxes typically have a set time limit they analyze a program for before making a decision. PSPs do not want to impose unnecessarily long wait times on the user, which may cause the user to disable PSP components or try other products out of frustration,” said one typical passage. “A common technique of exploiting this mechanism is using a Sleep-like call at the start of a program to ‘run out the clock.’ PSPs caught on and many will skip the sleep calls in their sandbox environment. To counteract this, malware authors will call a meaningless function which performs some kind of task or calculation that takes a while to complete, before performing any malicious action. This makes it harder/impossible for PSPs to know what to skip, and the malware can effectively ‘run out the clock’ while in a PSP sandbox.”
Learning from the enemy
Interestingly, the CIA and other intelligence firms are doing the same process as most security firms — studying cyberthief tactics — but instead of using that knowledge to improve defenses, the CIA is using those lessons to craft better attacks.
“This is a very impressive set of tools gathered,” said Doug Barbin, principal cybersecurity leader of Schellman & Co., a CPA firm. “But it wasn’t something that a security researcher would be too surprised by. It’s so detailed, though, that it takes the debate out of whether or not these types of attacks are hypothetical.”
Barbin added, though, that some of the initial reports have been misleading. The CIA’s tested method of monitoring that smart TV, for example, he said, used a USB stick placed into the set to initiate any monitoring. That would require physical contact with the set, as opposed to an over-the-air method of intercepting data.
Although Barbin’s point is well taken, some of these memos are two years old. Just because it was tested with a USB insert doesn’t mean that the attack couldn’t today be launched wirelessly.
Another security professional, Ken Pfeil, the chief architect at the TechDemocracy consulting firm, was equally unimpressed with the CIA’s tactics.
“These are pretty standard. The fact that they are using DLL injection is not surprising. In the exploit world, some of this stuff is pretty basic,” Pfeil said. “There is nothing sitting in front of me [from the Wikileaks data dump] that would surprise me. Absolutely nothing.”
Agreed. Only the dumbest terrorist would opt to hold terror planning meetings in the same room as a smart TV that supports voice recognition. Then again, who ever said terrorists are especially smart? If only one plan is thwarted from some IQ-deficient murderer, it’s likely worth the effort.