How Intelligence Agencies Ignore Their Commitment to Disclose “Zero Days” Vulnerabilities

How Intelligence Agencies Ignore Their Commitment to Disclose “Zero Days” Vulnerabilities

Breaking news: the CIA and NSA are spying on people! Well, okay, we already knew that, but at least they’re doing this to protect US citizens and are working for the government. Sometimes though, they get carried away and do things on their own, completely ignoring the orders of the US president in the process.

According to the leaked CIA documents code-named Vault 7, the Central Intelligence Agency and the National Security Agency have been amassing vulnerabilities (aka “zero days”), despite ex-president Obama’s order for them to disclose those vulnerabilities to US-based manufacturers such as Google, Microsoft, Apple, and others.

Obama Makes a Government Policy to Disclose New Zero Days by Default

In January 2014, Barack Obama, then-president of the United States, issued a government policy that any intelligence agency (CIA and NSA included) must disclose any new vulnerability they discover and they must do this by default.

Now, the agencies are permitted to keep the zero-day for themselves, but they can do so only in special circumstances and they must argue their case for keeping them to the Equities Review Board. The ERB itself is chaired by the National Security Council (NSC) and includes representatives of other agencies that might be concerned about the vulnerability.

In general, however, any vulnerability should be disclosed. If said vulnerability further presents a high-security risk or is wide-spread, that goes double for disclosure.

Now, we should point out here that this is the president’s intent. There are, however, loopholes that agencies can exploit that allows them not to disclose vulnerabilities if they really don’t want to.

Still, Obama’s decision was a step in the right direction as before it, CIA, NSA and other agencies, would hoard vulnerabilities by dozens or even hundreds per year. Since the VEP has been “updated” (it was there before, just nobody paid any attention to it), things have improved.

But the problem persisted.

NSA Not Disclosing Zero-Day Vulnerabilities to Cisco, Juniper and Fortinet

In August 2016, a group of hackers, calling themselves “Shadow Brokers”, published a cache of top-secret spying capabilities belonging to the NSA. Among those, were several at the time unknown vulnerabilities (or zero days) found in security products used to protect US-based companies and critical infrastructure and developed by Cisco, Juniper, and Fortinet.

The leak was originally broadcasted via the Shadow Brokers Twitter account @shadowbrokerss, where they announced a Pastebin page (Pastebin.com is regularly used to post links from the dark web .onion) and a GitHub repository.

These two further included instructions on how to obtain and decrypt a file that allegedly contained tools and exploits used by another hacking group connected to the NSA, called “Equation Group”, which the Kaspersky lab pinpoints as “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques”.

 The said Pastebin page (the original has been taken down in the meantime, but here’s the link to the archived page) is titled “Equation Group – Cyber Weapons Auction” and among other things says:

Equation Group Cyber Weapons Auction – Invitation

!!! Attention government sponsors of cyber warfare and those who profit from it !!!!

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.

Further down the page, you can find the auction instructions:

Auction Instructions

We auction best files to highest bidder. Auction files better than stuxnet. Auction files better than free files we already give you. The party which sends most bitcoins to address: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK before bidding stops is winner, we tell how to decrypt. Very important!!! When you send bitcoin you add additional output to transaction. You add OP_Return output. In Op_Return output you put your (bidder) contact info. We suggest use bitmessage or I2P-bote email address. No other information will be disclosed by us publicly. Do not believe unsigned messages. We will contact winner with decryption instructions. Winner can do with files as they please, we not release files to public.

There’s also a lot of code, some links, FAQs and even an angry message directed to the “Wealthy Elites”, if you want to check all of that.

CIA “Weaponized” 24 Android “Zero Days”

According to WikiLeaks, the CIA has “weaponized” 24 Android “zero days” (either developed themselves or by other agencies and cyber arms contractors) between 2013 and 2016. That means that the intelligence agencies (and the US government with them) have been involved in researching and gathering different security exploits and zero days.

However, according to XDA Developers, the WikiLeaks report, while certainly worrisome, doesn’t tell the whole story and that a lot of these exploits are by now “dated” (meaning they no longer work).

For instance, the “Freedroid” vulnerability affects Android versions from 2.3.6 (“Gingerbread”) to version 4.2 (Jelly Bean), but not versions following it such as KitKat, Lollipop, Marshmallow, Nougat and Oreo.

In addition, a number of the leaked exploits also target older devices such as the Samsung Galaxy S4, which was released in March 2013, or the HTC One from February same year.

Now, it could be that the leaked document was simply out-of-date or that the CIA simply decided not to update it with any new vulnerability they discover to protect against such leaks. We can’t know for sure and WikiLeaks itself has redacted some of the information.

Conclusion

In any case, the bottom line is this: CIA, NSA and several other agencies have been ignoring instructions to disclose exploits and zero-days they discover to US companies. Now, these instructions did come from the now-former President Obama, but we didn’t hear anything in the meantime about Trump canceling that order, so we guess they still stand.

How much should you be worried about this? As an individual, probably not that much. Unless you’re a particularly interesting target, your phone, computer or smart TV are likely not being used as a bug. The CIA agents don’t just run around hacking people’s devices.

For companies, this is a different matter and some, such as Cisco, have discovered certain vulnerabilities and warned their customers about them thanks to WikiLeaks.

Leave a Reply

Close Menu