According to a new report, the CIA’s annual Hacker Jamboree is a conference where government contractors swap security vulnerabilities. Despite the White House’s assurances, there doesn’t appear to have be much consideration made to notifying the vendors so they can fix the flaws.
Apple, that’s who. Or Microsoft, or any of the other vendors whose products US government contractors have successfully exploited according to a recent report in the Intercept. While we’re not surprised that the Intelligence Community is actively attempting to develop new spycraft tools and capabilities—that’s their job—we expect them to follow the administration’s rules of engagement. Those rules require an evaluation under what’s known as the “Vulnerabilities Equities Process.” In the White House’s own words, the process should usually result in disclosing software vulnerabilities to vendors, because “in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.”
Nevertheless, the Intercept article describes an annual CIA conference known as the Trusted Computing Base (TCB) Jamboree1 at which members of the intelligence community present extensively on software vulnerabilities and exploits to be used in spying operations. At the 2012 TCB Jamboree, presenters from Sandia National Laboratories, which is a contractor for the Department of Energy, described an attack on Xcode, the Apple software used to compile applications in Mac OS X and iOS. The “whacked” Xcode exploit, called Strawhorse, enables intelligence agents to implant a version of Xcode on developers’ computers which, unbeknownst to the developers, would cause software they compile to include a backdoor or other compromise. If successful, the attack could enable a range of surveillance-friendly applications to be covertly made available to the public. The report suggests that the Sandia team discovered and employed a number of additional vulnerabilities in Apple’s hardware and software, including a vulnerability in Apple’s secure element that enabled them to extract a secret key, and one that allowed modification of the OS X updater to install a keylogger. Finally, the report describes similar presentations on Microsoft’s BitLocker software and others.
The vulnerabilities involved in these exploits were almost certainly unknown to Apple itself, and the documents released by the Intercept do not indicate that the CIA or its contractors ever considered disclosing them to the company. Yet this is what the administration’s Vulnerabilities Equities Process requires—a balancing test that weighs the risk to average users of leaving unpatched vulnerabilities against the needs of the intelligence community.
EFF has sued under the Freedom of Information Act (FOIA) to uncover more about the Vulnerabilities Equities Process, which the White House characterized as a set principles that inform “a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.” Naturally, the Office of the Director of National Intelligence and the NSA have been less than forthcoming in response to our FOIA suit, producing only a handful of highly-redacted documents to date. Given the scanty information we’ve received, and the freedom with which the Jamboree attendees seem to stockpile vulnerabilities, we have doubts that the Equities Process is really as “disciplined and rigorous” as the administration claims.
When asked for comment, an unnamed intelligence official told CNBC: “There’s a whole world of devices out there, and that’s what we’re going to do…It is what it is.”