Vault7: CIA Hacking Tools Revealed
Navigation: » Directory » Embedded Development Branch (EDB) » EDB Home » Projects » Weeping Angel (Extending) Engineering Notes
Network Related Strings in EXTENDING | Building a WiFi interface watchdog
SECRET // REL US,UK
The version of source released to us by the UK did not include their implementation of wifi comms, but their developers explained roughly how EXTENDING works. This is what we (generally) understand from that conversation. The Samsung SmartHub application is continually scanning in the background for wifi networks. The EXTENDING implant does not scan for wifi networks, but uses the list generated by the Samsung application. When EXTENDING sees the wifi network it is configured to use for exfiltration in Samsung's list, it will connect to it using the parameters specified in config.xml.
Our approach, to gain more insight into how we might keep the wifi interface alive when the device enters Fake-Off mode, was to examine the strings in all the binaries from the UK's EXTENDING build. Here are a list of wireless network related strings that provided some clues into how to proceed and may provide additional ideas for better solutions moving forward.
udhcpc -i
-t 5 -T 5 -b
/proc/net/dev
/proc/net/wireless
Driver has no wireless Extension version information
SIOCGIFCONF
SIOCSIWMODE
SIOCSIWFREQ
SIOCSIWENCODE
SIOCSIWNWID
SIOCSIWESSID
/proc/*/comm
Alternate Approaches
EXTENDING/Weeping Angel already hooks key presses from the remote (or TV goes to sleep) to cause the system to enter Fake-Off rather than Off. Since the implant is already hooking these events, the implant knows when the TV will be entering Fake-Off mode. A review of strings from libt.so shows "hooked_power_e", "PowerType", "BootReason", and "*Power*" – all starting points to find where in the source power shutdown is being hooked. A better solution might be to take action at this time, rather than continuously check the state of the wlan0 interface.
Related articles
('contentbylabel' missing)