[BreachExchange] This is why you should be terrified of the Wikileaks Vault 7 data dump

[Audrey McNeil]

http://mashable.com/2017/03/08/what-wikileaks-vault7-reminds-us-about-iot/

Beautiful. Unethical. Dangerous.

That’s how Lucius Fox described Batman’s hacking wizardry in part two of
Christopher Nolan’s Batman trilogy, The Dark Knight.

In the film, the caped crusader took Fox’s single-cellphone sonar concept
and used it to light up every microphone on every mobile phone in Gotham,
creating a real-time sonar soundscape, all to find one bad guy, the Joker,
among millions of innocents.

It was beautiful for its audacity and creativity and also deeply troubling.
The technology so disturbed Fox that he quit.

In real life, it isn’t just the good guys who are looking to use every
available digital device to find the unfindable.

When I read through portions of WikiLeaks’ Vault 7 data dump, a treasure
trove of alleged CIA-supported hacking activity, what struck me was not
that the CIA is building and hoarding zero-day hacking tools, but the array
of targets and how the dream of hackers (inside and outside the CIA) might
be a Dark Knight-style listening technology powered by all our our devices.

Forget quaint notions of a basement-dwelling hacker wondering if he can
break into the latest version of Windows (he probably still can) or even
someone hoping to drop a malware-filled app on your Android. The hacker’s
canvas is now as vast as our digital lives. The CIA (or the contractors
they hired) are looking at everything, including specific tools to hack:

cars

TVs

Internet of Things (IoT) devices

The last category is encompasses so many devices that it no longer bears
categorization.

In the documents, here's how the CIA (or the hacker contractors) defines
Internet of Things:

Technical:  A single-purpose device that has a firmware running a software
operating system.

Non-technical:  A computer serving a singular function that doesn't have a
screen or keyboard.

Really non-technical:  "The Things in the Internet of Things"

IoT can include almost any piece of technology in your house: you
thermostat, refrigerator, washer/dryer, front door lock and even light
bulbs. If it has a chip, an operating system, power and is connected to the
internet, it fits the profile.

Earlier this year, LG promised to make all its appliances Wi-Fi-enabled and
cloud-connected. What a hacker hears is “more attack vectors.”

I get the concern about the CIA potentially building all these tools, but
the assumption should not be that they are building them to spy on us (most
of us are just not that interesting). As a spy agency, CIA’s job is to spy
on those outside the U.S. Its goal is to protect (and further) U.S.
interests.

It’s safe to assume that their work in this case is a reverse mirror image
of the work hackers around the world are currently engaged in, all hoping
to somehow steal information from the U.S. government and its citizens.

Today’s level of device intelligence and connectivity has, obviously,
transformed out lives for good. Technology is the 21st century’s greatest
tool. But that tool is a double-edged sword, swiftly cutting through the
distance that separates us and the fog of too little or too much
information to find answers that matter. The other side? It can cut like a
knife, in an instant.

It’s clear from the Vault 7 documents that both parties see the same buffet
of opportunity arrayed around them: So many products with chips. So many
connected to the Internet. So many with built-in cameras and microphones.

In virtually every spy movie and TV show produced in the last 40 years, the
very first thing a spy does to surviel her target is place a “bug” or
microphone somewhere on the person or in their home or office. That’s
totally unnecessary now. The CIA hackers, thinking as spies do, looked for
the path of least resistance:

“Oh, there’s a microphone in Samsung TVs? How do we access that?”

Granted, the CIA didn’t get very far. They found an awesome firmware
vulnerability that would make the TV look like it was off when it was still
on, engaging the microphone at the same time, relaying audio back to home
base. Still, the vulnerability was limited: Even though these TVs are, like
everything else, connected to the Internet and have their own IP address,
the only way the CIA could find to infect the sets was through the built-in
USB ports. In other words, hacking the TVs required physical access to the
sets.

Even so, point made.

If the CIA contractors are doing their job, though, they must be thinking
about all the other avenues. Amazon’s Echo has an excellent, built-in
microphone array. It can hear you almost whisper “Alexa” from across the
room. How's the security on that?

Naturally, the hackers were also looking at our cars or, as they call them,
“Vehicle Systems (e.g. VSEP).” They are, essentially, motorized computers.
There are microphones so you can speak to your cars and intelligence
(sensors, robotics, AI) that helps you avoid accidents — sometimes even
drive the car for you. And most new cars are now connected to the Internet.
Imagine how enticing all that sounds to hackers.

It’s not clear from this initial document dump if the CIA got very far with
their car-hacking efforts, but that doesn’t mean they’re done trying.

Putting aside for a moment the concerns about why the CIA was doing this
and even why they so poorly protected this sensitive information and didn’t
share vulnerabilities they found with the companies whose products they
affected (like Apple and Google), we face an uncomfortable truth.

The more connected and plugged in we are, the more attractive every aspect
of our lives is to hackers.

The Dark Knight’s fanciful idea of lighting up millions of cellphone
microphones to find a dangerous needle in a haystack starts to sound a lot
more plausible when you realize how many IoT devices have microphones.
Sure, they will pick up mostly useless noise, but if the tools are out
there or at least being built by the good guys and the bad guys, it’s only
a matter of time before hackers outside the U.S. look for ways to listen
wherever they can to find intelligence and even basic personal information
they can use to steal your identity. It’s not hard to imagine an ongoing
terror threat that would make listening to every American somehow sound
reasonable.

It’s an utterly terrifying idea and, as Lucius Fox succinctly reminded
Batman, “This is wrong.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170309/1f5afea1/attachment.html>