One of the most important WikiLeaks challenge tasks is to identify each and every device affected by Vault 7 leaks. A daunting task indeed! It certainly doesn't help that in an apparent act of censorship Wikipedia removes this information as fast as I can post it.

This is exactly why we have the WikiLeaks and the WikiLeaks Research Community (https://our.wikileaks.org)! Here is some of my research so far which should lay a foundation for others on a critical topic in the first WikiLeaks Research Community challenge, "Products vulnerable to CIA hacking".

Visit the WikiLeaks Research Community page on Research Challenges for more info

Android smartphones/tablets

The CIA targeted numerous Android smartphones such as the Samsung Galaxy and Galaxy Note.(1) At least 23 different tools and exploits were developed for the Android operating system specifically as well, including the previously discussed Dugtrio.(2) Some of these Android tools were also used in JQJGUNSHY to exploit the Samsung Galaxy Tab.(3)

Apple products

Products affected (and the tools used) in Year Zero:

• Airport Extreme (HarpyEagle)
• iPad (DRBOOM, McNugget)
• iPhone (DRBOOM, McNugget)
• Mac OSX (DerStarke, SnowyOwl)
• Time Capsule (HarpyEagle)

Products affected (and the tools used) in Dark Matter:

• MacBook Air / MacBook Pro (Sonic Screwdriver, DarkSeaSkies)
• Thunderbolt-to-Ethernet adapter (Sonic Screwdriver)
• Mac OSX (DarkSeaSkies)
• iPhone (NightSkies)

CDs/DVDs

HammerDrill is a CD/DVD collection tool that collects directory walks and files to a configured directory and filename pattern as well as logging CD/DVD insertion and removal events. v2.0 adds a gap jumping capability that Trojans 32-bit executables as they are being burned to disc by Nero. Additionally, v2.0 adds an status, termination and an on-demand collection feature controlled by HammerDrillStatus.dll, HammerDrillKiller.dll and HammerDrillCollector.dll. The logging now also fingerprints discs by hashing the first two blocks of the ISO image, which enables unique identification of multi-sessions discs even as data is added and removed. The log also logs anytime a HammerDrill trojaned binary is seen on a disc.(4)

Cisco routers/switches

JQJSTEPCHILD was a project to discretely exploit and take over Cisco 2911 routers.(5) Several additional router models were also targeted in various projects and by various tools, such as the "Cinnamon" test of the Cisco 881.(6) In addition to routers it seems Cisco network switches were also targeted as in the case of the Cisco Catalyst 2960S exploits used in JQJTHRESHER.(7)

iFrame media (YouTube, games, etc.)

iFrame injection consists of one or more iFrame tags that have been inserted into a page or post's content and typically downloads an executable program or conducts other actions that compromise the site visitors' computers. Bee Sting is a discrete Vault 7 tool for injecting data in to iFrame media.(8) Flash Bang, another tool, would then be used to set up a persistent backdoor through this iFrame injection.(9)

Microsoft Windows

HIVE is able to activate and exploit numerous implants available in Microsoft Windows systems.(10) The HIVE 2.6.2 User's Guide from 2014 lists HIVE as compatible with Windows 2000 and Windows Server 2003.(11)

MikroTik routers

The NDB appears to have been involved in trying to exploit vulnerabilities in MikroTik's Hotspot and Paywall networking features as well as MikroTik routers.(12) The software tool used to do this appears to have been primarily Perseus.(13)

Personal Security Products (PSPs) & anti-virus software

The tool DriftingShadows was successfully able to exploit unnoticed by anti-virus software made by Kaspersky(14) and AVG.(15) In the latter case, however, testers were not always successful in bypassing AVG's alert system. DriftingShadows checks for Kaspersky on a target system and uses its whitelisted IPs to run a "GRAVITYTURN" exploit.

In another instance CIA IOC User #71473 shared a method for creating installers to bypass AVG security.(16)

Documents also show that another tool, Grasshopper, was able to successfully bypass Kaspersky as well as Symantech and Windows Security Essentials systems.(17)

In addition to products by Kaspersky, AVG, Symantec and Microsoft, other targeted PSP providers include:(18)

• Avira
• Bitdefender
• ClamAV
• EMET (Enhanced Mitigation Experience Toolkit)
• ESET
• GDATA
• Malwarebytes
• Norton
• McAfee
• Panda Security
• Rising
• Trend Micro
• Zone Alarm

Smart TVs

Weeping Angel is a complex suite of software which gives the user multiple tools and vectors for attacking, monitoring and listening to a target machine, including Samsung Smart TVs.(19)

Weeping Angel is able to:(20)

• Extract browser credentials or history
• Extract WPA/WiFi credentials
• Insert Root CA cert to facilitate MitM of browser, remote access, or Adobe application
• Investigate the Remote Access feature
• Investigate any listening ports & their respective services
• Attempt to override /etc/hosts for blocking Samsung updates without DNS query and iptables (referred to by SamyGo)
• Add ntpclient update calls to startup scripts to sync implant's system time for accurate audio collection timestamps

Vehicle Control Systems (VSEPs)

One document showed that the CIA was researching ways to infect vehicle control systems, particularly those made by vehicle software manufacturer QNX.(21)

If you like my work and wish to support my future projects and research, consider subscribing to my Patreon and receive additional perks for helping the cause!