monsitj - Fotolia

Open Rights Group calls for control of spies’ use of zero-days

Wikileaks’ publication of documents detailing CIA hacking tools has prompted calls for government to control spy agencies’ use of vulnerabilities in widely used hardware and software

A digital rights group has called on government to regulate the way their intelligence agencies hoard and use vulnerabilities that affect devices owned by millions of ordinary people.

The call comes after Wikileaks published details of US Central Intelligence Agency (CIA) hacking tools that exploit zero-day vulnerabilities in most desktop and mobile operating systems.

“While targeted surveillance is a legitimate aim, we need to know that government regulation of this area is sufficient,” said Open Rights Group campaigner Ed Johnson-Williams

“From what we learnt during the passage of the Investigatory Powers Act, it appears that the ‘creation’ of techniques is not really regulated at all,” he wrote in a blog post.

The leaked CIA documents indicate that US intelligence agencies are working with the UK to stockpile vulnerabilities that can be used on Microsoft Windows, Mac and Linux computers ,as well as iOS and Android smartphones and smart TVs.

In the light of the fact that many of the vulnerabilities disclosed came from UK intelligence agencies, Johnson-Williams said the UK government has serious questions to answer, such as:

  • How does the government ensure that GCHQ’s process for deciding whether to exploit or report a vulnerability is adequate?
  • Are they creating unnecessary risks for organisations and individuals?
  • How do oversight bodies check that GCHQ’s policies for assessing the risk of keeping an active vulnerability secret are sufficiently robust?
  • Did any hacking operations reduce the security and privacy of an individual/organisation with respect to other actors?
  • Is the authorisation process sufficient to avoid future problems?
  • How will the UK government and agencies work to clean up the mess created by their decision not to report these vulnerabilities to the suppliers?

Johnson-Williams said while the spy agencies will use these vulnerabilities for targeted surveillance, the same vulnerabilities can also be discovered and exploited by criminals and other countries’ intelligence agencies.

“GCHQ’s decision to keep their exploits secret could have devastating effects for society at large. It is likely that the CIA and GCHQ are not the only organisations with knowledge of these vulnerabilities with the capability to exploit them,” he wrote.

“The agencies have, possibly through their own mistakes, increased the risks vastly by failing to ensure that the vulnerabilities are either reported or kept to themselves.”

Whatever benefits there may have been to GCHQ and the US agencies in stockpiling these vulnerabilities to use for “good”, Johnson-Williams said the “race is now on” to repair them as fast as possible.

Open Rights Group is calling on the US National Security Agency (NSA) and GCHQ to disclose what they know about repairing these vulnerabilities and how they might be exploited to assist in this effort.

“The agencies must now work with the manufacturers of internet-connected devices such as phones, laptops, TVs and routers, but potentially also fridges, toasters and home automation systems to repair the vulnerabilities,” said Johnson-Williams.

Open Rights Group said manufacturers of internet-connected devices that make up the internet of things (IoT) have an ongoing responsibility to prioritise security, to actively test the security of the devices they sell and to push out security updates to fix known vulnerabilities.

“At the moment, we have a secretive and unaccountable system of device hacking, badly in need of accountability and oversight,” wrote Johnson-Williams.

“We should remember that our worry is only partly the agencies. It is the results of their actions, especially through enabling criminality, that we most need to worry about.”

Technology firms respond to vulnerabilities

The leaked documents have prompted affected technology firms to issue statements about their plans to issue fixes.

Apple said it has already addressed some of the vulnerabilities in the latest version of its iOS mobile operating system, but will work quickly to address any other vulnerabilities.

Samsung said it was aware of reports that the UK’s MI5 security agency helped to develop malware for hijacking the microphones of Samsung smart TVs and that the firm was “urgently looking into the matter”.

The Linux Foundation told the BBC that rapid release cycles enable the open source community to fix vulnerabilities and release those fixes to users faster.

Google declined to comment about allegations that the CIA was able to “penetrate, infest and control” Android phones due to its discovery and acquisition of zero-day vulnerabilities in the code.

Comodo and Kaspersky Lab said the vulnerabilities in their software mentioned in leaked documents were obsolete and had been fixed, while Avira said it had fixed flaws in its code soon after Wikileaks published the documents and AVG said the bypass mentioned by the documents was “theoretical”.

F-Secure dismissed comments that its security software is a “lower-tier product that causes minimal difficulty” by highlighting that F-Secure is described elsewhere as an “annoying troublemaker”.

“The leak tells us a bit about how the CIA decided to use its knowledge: it considered it more important to keep everybody unsecure than protecting its citizens from the vulnerability, and maybe use the vulnerability for its own purposes or counter-terrorism purposes,” said Mikko Hypponen, chief research officer at F-Secure.

Security industry commentators said individuals and companies that discover they are using vulnerable products will have to assess their own risks and decide what course of action to take to mitigate it.

“This may involve temporarily disabling or disallowing some products until vulnerabilities are patched, or even switching to new products,” said Shuman Ghosemajumder, CTO of Shape Security.

Read more on Hackers and cybercrime prevention