A cache of CIA hacking and information gathering tools have been leaking online lately via in infamous WikiLeaks. Many of the documents detail complex and novel methods for infiltrating computer networks and mobile devices. Microsoft even had to patch the aged Windows XP recently in response to a CIA leak. The latest CIA tool revealed online is rather straightforward — malware that tracks a device’s physical location. However, it doesn’t need GPS, just Wi-Fi.
The CIA’s location tracker is known internally as ELSA, and appears to be limited to Windows systems. The leaked documents date from 2013 and focus on using ELSA on Windows 7. According to experts who have examined the documents, the technique is simple enough it could be adapted for any Windows release. The CIA simply needs a way to get the logger installed on the target system.
Using Wi-Fi to track devices isn’t something the CIA invented. In fact, your phone probably does this right now. Both Microsoft and Google operate databases of public Wi-Fi hotspots around the world. When a device sees certain hotspots (identified by SSID, signal strength, and MAC address), it’s possible to figure out approximately where it is without accessing GPS. This is helpful to the CIA because most computers don’t have GPS built-in, but it’s easier to get malware installed on them.
The CIA operative tasked with installing ELSA uses a tool called “PATCHER Wizard” to generate a DLL file. They simply have to set variables for 32-bit versus 64-bit systems, Google or Microsoft geolocation providers, maximum log file size, and so on. Delivering the DLL to a target machine will probably require the use of other pieces of malware in the CIA’s arsenal, though.
ELSA will operate even if the user is not connected to a Wi-Fi network. As long as the Wi-Fi radio is on, it can log which networks are in range. All that data is saved in a local log file with 128-bit AES encryption. When the target connects to the internet, that file is uploaded to the CIA operative for decryption and analysis.
The third-party Wi-Fi AP databases from Google and Microsoft have public APIs for browsers and other pieces of software. But there’s nothing stopping the CIA and others from using them for nefarious purposes. In fact, both these databases have become more robust since 2013. The tracking would be considerably more accurate if the CIA is still using ELSA or something like it.
Now read: Best ways to stay anonymous and protect your online privacy