Security firms have started assessing the impact of the CIA hacking tools exposed on Tuesday by WikiLeaks as part of the leak dubbed “Vault 7.”
Files allegedly obtained from a high-security CIA network appear to show that the intelligence agency has tools for hacking everything, including mobile devices, desktop computers, routers, smart TVs and cars.
The published files also appear to show that the CIA has targeted the products of many security solutions providers, including anti-malware and secure messaging applications. The list of affected vendors includes Symantec, Kaspersky, Avira, F-Secure, Microsoft, Bitdefender, Panda Security, Trend Micro, ESET, Avast, AVG, McAfee, Comodo and G Data.
While WikiLeaks has not released any of the exploits it has obtained, an initial investigation conducted by security firms indicates that the CIA’s capabilities may not be as advanced as some have suggested.
..what Wikileaks won't tell you: almost everything in their dump is dreadfully ordinary, widely known by the cybersec/hacking community
— Rob Graham٩(●̮̮̃●̃) (@ErrataRob) March 8, 2017
Bitdefender told SecurityWeek that the public Vault 7 files show that the CIA had been having problems evading the company’s products.
Kaspersky Lab said one of the vulnerabilities mentioned in the report was patched in 2009, while another was addressed in December 2015.
“All current Kaspersky Lab solutions are subject to mandatory testing against these vulnerabilities prior to release. The products mentioned in the Wikileaks report (KIS 7, KIS 8, WKSTN MP3) are outdated versions of Kaspersky Lab software and have been out of the technical support lifecycle for several years,” the security firm said in an emailed statement.
“We would like to stress that the documents published by Wikileaks do not describe any computer breaches against Kaspersky Lab, or against any other security firms or customers, but instead depict efforts to reverse engineer and find vulnerabilities in computer security software products,” it added.
Comodo also said its product appeared to pose problems to the CIA. WikiLeaks mentioned that the agency had bypassed Comodo’s product by hiding malware in the Recycle Bin, but the vendor said such tricks would not have worked against versions of its product released in the past four years.
“What we are seeing in the leaked documents are their desperate attempts to build a hack, step-by-step, with the ultimate goal of achieving a total bypass of the security, such as trying to find something like a kernel exploit. But as their email says, in the case of Comodo, they end up with nothing,” said Melih Abdulhayoglu, founder and CEO of Comodo.
Microsoft, whose EMET and Security Essentials products are mentioned in the leak, told SecurityWeek that it’s aware of the report and looking into it. Trend Micro is also investigating.
F-Secure has assured customers that the bypass method described in CIA documents does not affect its DeepGuard and Security Cloud products.
“The methods described in the alleged CIA document aren’t able to prevent detection on the endpoint even with our traditional antivirus, but bypass detection of an archive file in a very specific condition, most likely during a content inspection at a gateway level. Thus, the described methods alone will not be sufficient to breach the target and would require further chaining of attack tools. On modern endpoint protection, there are additional security layers that will kick in at a later stage when the archive content will be unpacked and the malicious payload is being launched,” F-Secure explained.
“Scan engine evasion tricks as described in the CIA document are in fact counter-productive for an attacker when the defender is using a product which has modern security stack that contains online query support such as our security cloud. Anything that modifies binary so that a scan engine database will not detect it will make a sample unique and thus, highly suspicious when the local endpoint protection is supported by intelligence from the cloud,” the company added.
Panda Security says it has yet to find exploits or tools targeting its products in the publicly available files.
“That doesn't mean there won't be any, at the end of the day we are talking about software. We expected to be there, the fact that we do not collaborate in any way to spy on our users turns Panda into a target for the CIA, FSB, and that kind of organizations,” said Luis Corrons, Technical Director of PandaLabs.
Avira said the CIA’s Entropy Defeat bypass technique does affect its products, but classified it as a “minor vulnerability” that it patched within a few hours after the WikiLeaks release. The company has not found any malware samples that used this technique.
“Our antivirus software includes several protection layers, both locally and in the cloud,” said Avira CTO Matthias Ollig. “The bypass described in the leaked documents affects only one of several different and independent detection modules – and within the affected module only a subset of detection rules.”
ESET told SecurityWeek that the bugs described in the leak are all "known and very old"; they were patched several years ago. Symantec said there is “no evidence of the ability to bypass or exploit vulnerabilities in Symantec products and services.”
As for enterprise security vendors, Juniper Networks has not found any evidence that its products have been targeted, but there appear to be several exploits targeting Cisco devices. Cisco has published a blog post with a preliminary analysis.
Secure messaging tools not compromised
WikiLeaks reported that the CIA had found a way to bypass the encryption of Signal, Telegram, WhatsApp and other secure messaging applications.
While many jumped to conclude that the agency had actually broken the encryption of these apps, WikiLeaks actually meant that gaining access to a mobile device using iOS and Android exploits could have given the CIA access to conversations, without having to break their encryption.
The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.
— Open Whisper Systems (@whispersystems) March 7, 2017
*Updated with information from Avira, ESET, F-Secure, Symantec and Cisco