Why the CIA's iOS, Android and Windows hack stockpile puts zero-day hoards in the spotlight

Why are spy agencies and police building up piles of security flaws? Blame the rise of encryption.
Written by Steve Ranger, Global News Director

The CIA's stockpile of zero-day attacks includes exploits targeting some of the biggest names in tech.

The gigantic leak of CIA documents published by WikiLeaks has shown the scale of the intelligence agency's hacking program, much of it built upon an armoury of zero-day exploits against some of the biggest names in tech. Targets of the hacking project including Apple's iPhone and iPad, Google's Android and Microsoft Windows and even Samsung smart TVs.

Zero-day flaws are previously undiscovered vulnerabilities in software, which can be exploited to alter the behaviour of a product.

The sorts of flaws that law enforcement and the security services are most interested in would be ones that allow surveillance - perhaps a flaw in a smartphone that allows police to turn on the camera or microphone, or a bug in an email package that allows investigators to read messages.

The WikiLeaks documents - known as Vault 7 - apparently show that the CIA has built up a significant stockpile of zero-day flaws to use for surveillance.

According to the leaks, in 2016 the CIA had 24 Android zero-day vulnerabilities, which it had either developed itself or obtained from GCHQ, NSA and others. Add in attacks aimed at other products, including those from Microsoft, Google and Samsung, plus Linux, and the actual scale of the CIA's zero-day hoard could be much larger, which means that guesstimates about the total number of zero-days in circulation may have to be pushed up significantly.

The collection and use of zero-day attacks by police and spy agencies is controversial for a number of reasons.

If a government knows about a significant flaw in the software used by millions of people but does not warn them because the flaw is useful for snooping, it makes everyone less secure, argue critics. And just because one spy agency thinks it is the only one to know about the weakness, that doesn't mean another isn't already using it too. Zero-day flaws can be unpredictable and cause more damage than expected, and when they leak there is nothing to stop criminals using the same exploits.

NSA-contractor turned whistleblower Edward Snowden said the leaked documents were "the first public evidence" of the US government "secretly paying to keep US software unsafe." He noted: "The CIA reports show the USG developing vulnerabilities in US products, then intentionally keeping the holes open. Reckless beyond words."

Gus Hosein, executive director of campaign group Privacy International, made a similar point: "If the CIA knew of security weaknesses in the devices many of us use - from 'smart' phones to 'smart' TVs - they should have been working with companies to fix the vulnerabilities, not exploit them."

Wikileaks said the source of the documents wanted to start a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.

"Once a single cyber 'weapon' is 'loose' it can spread around the world in seconds, to be used by rival states, cyber mafia and teenage hackers alike," WikiLeaks said.

Under the US government's 'vulnerabilities equities process' software weaknesses should be reported to vendors, but some flaws can be kept secret for purposes of intelligence gathering.

"Serious vulnerabilities not disclosed to the manufacturers places huge swathes of the population and critical infrastructure at risk to foreign intelligence or cyber criminals who independently discover or hear rumors of the vulnerability. If the CIA can discover such vulnerabilities so can others," said Wikileaks.

"By hiding these security flaws from manufacturers like Apple and Google, the CIA ensures that it can hack everyone... at the expense of leaving everyone hackable," it warned.

It's almost impossible to tell how many zero-day exploits are being hoarded by intelligence agencies and governments around the world. One expert estimated last year that the NSA might have had only a couple of dozen zero-days tucked away. But it's clear that the use of them is growing more common.

The FBI is reported to have paid for a zero-day exploit in order to access an iPhone as part of the investigation into the San Bernardino shootings. And it's not just US law enforcement: the files also show that the exploits were shared with other agencies such as GCHQ which will also have their own stockpile of flaws.

In 2015 in (heavily redacted) evidence to a government committee GCHQ said that "the lion's share of vulnerabilities" it used were publicly known but that vendors haven't yet released a fix for them or, if they have, many users are slow to apply the fix.

The agency said around 10,000 vulnerabilities in common security products were discovered globally and publicly flagged the year before - and that GCHQ themselves discovered a number of vulnerabilities, which were reported so that vendors could improve their products.

Other agencies are also taking the view that zero-days are a necessary element of law enforcement. Late last year the Dutch government gave its police and central intelligence agency official approval to exploit zero-day vulnerabilities.

There's one big reason for law enforcement's love affair with zero-day attacks. Encryption. Increasingly the apps we use to communicate, and the devices we store information on, are encrypted.

The flows of traffic across the internet that spy agencies used to be able to read easily are now much harder to tap into (largely because tech companies found out that the spy agency snooping went much further than previously imagined, courtesy of Snowden's revelations).

This is called 'going dark' by the police and intelligence agencies, which worry criminals and terrorists will be able to plot in uncrackable secrecy.

So instead they have started investing vast sums in researching and buying zero-day exploits, which will allow them to hack into devices. Doing so means they don't have to crack encryption, which in the most part remains extremely hard. Zero-day vulnerabilities can cost from a few thousand dollars to much bigger sums for the big ones: one company offered £1.5m for a remotely-executable flaw in iOS 10 for example.

It's irrelevant how well encrypted your communications are, if the spies can listen in before they are encrypted.

Read more on cyber-espionage

Editorial standards