CIA Can Hack, Track Windows Devices Via WiFi
RELATED: >>>/realnews/2003 (https://archive.fo/hXjld)
New documents released on Wednesday as part of WikiLeaks' series of CIA hacking revelations detail a method the agency uses to geolocate computers and the people using them. The agency infects target devices with malware that can then check which public Wi-Fi networks a given computer can connect to at a given moment, as well as the signal strengths of those networks. From there, the malware compares the list of available Wi-Fi options to databases of public Wi-Fi networks to figure out roughly where the device is.
The leaked documents detailing the project, which is known as ELSA, date back to 2013, and specifically address laptops and PCs running Windows 7. But experts say that the technique is straightforward enough that the CIA could have a version of it for every Windows release.
"This technique has been done and known about for a long time," says Alex McGeorge, the head of threat intelligence at the security firm Immunity. “It’s like give me all the information from the radios on your [device] to try to get a better fix on your location.”
ELSA only works on Wi-Fi-enabled workstations, but that’s … pretty much everything at this point. The specific process involves installing malware on a target computer, using that to access the victim device’s Wi-Fi sensor to check for nearby public Wi-Fi points, logging each one’s MAC address and Extended Service Set Identifier (the fingerprints of a Wi-Fi network), and then checking those identifiers against publicly available Wi-Fi databases maintained by Google and Microsoft. By combining this location data with signal strength readings, the malware can calculate the device’s approximate longitude and latitude at a given time. It then encrypts this data and stores it until a CIA agent can work to exfiltrate it. ELSA also includes a removal process so the CIA can cover its tracks.
https://archive.fo/WCJuA
ELSA was initially created in 2012, according to a 2013 user manual obtained by WikiLeaks. The manual is marked as ‘secret, noforn’ - meaning it’s not to be shared with other countries.
When the target device is connected to the internet, ELSA attempts to use public geolocation databases from Google or Microsoft to track the device’s location, and stores the longitude, latitude and timestamp in encrypted form on the device for the CIA to extract at a later time.
ELSA was developed by the Engineer Development Group (EDG), the division that manufactures the CIA’s hacking tools. The EDG is part of the Center for Cyber Intelligence (CCI).
ELSA is designed to be injected into an existing process on a device’s system. “It’s delivered in the form of a DLL,” the manual reads. A Windows DLL (Dynamic Link Library) is a library of code and data that can be used by more than one program at the same time. It helps operating systems and programs run faster and use less space.
ELSA also uses a configuration tool (patcher) and post processor. It uses the command-line tool, Microsoft Windows RegSvr32, to perform the installation.
https://archive.fo/9Mgwo
