How many people specifically know where you are right now? Some friends and family? Your coworkers, maybe? If you're using a Windows laptop or PC you could add another group to the list: the CIA.
New documents released on Wednesday as part of WikiLeaks' series of CIA hacking revelations detail a method the agency uses to geolocate computers and the people using them.
The agency infects target devices with malware that can then check which public Wi-Fi networks a given computer can connect to at a given moment, as well as the signal strengths of those networks. From there, the malware compares the list of available Wi-Fi options to databases of public Wi-Fi networks to figure out roughly where the device is. The leaked documents detailing the project, which is known as ELSA, date back to 2013, and specifically address laptops and PCs running Windows 7. But experts say that the technique is straightforward enough that the CIA could have a version of it for every Windows release.
"This technique has been done and known about for a long time," says Alex McGeorge, the head of threat intelligence at the security firm Immunity. “It’s like give me all the information from the radios on your [device] to try to get a better fix on your location.”
ELSA only works on Wi-Fi-enabled workstations, but that’s … pretty much everything at this point. The specific process involves installing malware on a target computer, using that to access the victim device’s Wi-Fi sensor to check for nearby public Wi-Fi points, logging each one’s MAC address and Extended Service Set Identifier (the fingerprints of a Wi-Fi network), and then checking those identifiers against publicly available Wi-Fi databases maintained by Google and Microsoft. By combining this location data with signal strength readings, the malware can calculate the device’s approximate longitude and latitude at a given time. It then encrypts this data and stores it until a CIA agent can work to exfiltrate it. ELSA also includes a removal process so the CIA can cover its tracks.
While the underlying concepts are commonly enough known, pulling it off requires quite a bit of sophistication. The technique requires exploit tools (methods for taking advantage of unpatched bugs in computer software) to give the CIA access to the target device in the first place. And at the point where the agency can install ELSA malware on the device, they presumably also have access to do a host of other aspects of the computer in question.
You can see how gathering location data might be a frequent priority, though, and the ELSA strategy is practical because it doesn’t require any specialized capabilities like GPS or a wireless chip. It can even work when the target device isn’t actually connected to the internet. As long as the Wi-Fi sensor is enabled, the malware can still record which Wi-Fi networks are in range and when, and store the information for later processing.
Researchers note that the Wi-Fi databases maintained by Google and Microsoft have expanded and improved since 2013, so it’s likely that the capability has only gotten more accurate over time. It might also have been possible for companies like Google and Microsoft to figure out who the CIA investigates into if they can glean any unique qualities of the database queries the malware would send. But now that technical details of the capability have leaked, the CIA will presumably revise it–if the agency hasn’t already over the last four years.
“If you had asked me before, ‘Does the CIA have some spy software shit that would do this?,’ I would have said yeah, of course,” McGeorge says. And now the world knows for sure.
Download SafeUM — communicate privately, without advertising and spam.