WikiLeaks has published a document detailing a tool allegedly used by the U.S. CIA to track people’s locations via their WiFi-enabled devices.
The malware code-named Elsa implements geolocation feature, it scans visible WiFi access points and records their details, such as the ESS identifier, MAC address and signal strength at regular intervals.
Wikileaks published the user manual as part of Vault 7 dump, the document is dated September 2013 and there is no other information about its improvements.
RELEASE: CIA 'ELSA' implant to geolocate laptops+desktops by intercepting the surrounding WiFi signals https://t.co/XjyyXIqXAz pic.twitter.com/XAYMlBbY7i
— WikiLeaks (@wikileaks) June 28, 2017
The malware also works when the Wi-Fi enabled device is offline or isn’t connected to an access point.
When the device is connected online, the malware leverages public geo-location databases from Google or Microsoft to resolve the position.
The data recorded by the ELSA malware is encrypted and logged, CIA agents can access them only manually retrieving the log by connecting to the Wi-Fi connected device.
“ELSA is a geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system. Once persistently installed on a target machine using separate CIA exploits, the malware scans visible WiFi access points and records the ESS identifier, MAC address and signal strength at regular intervals.” reads the post published by Wikileaks. “To perform the data collection the target machine does not have to be online or connected to an access point; it only needs to be running with an enabled WiFi device. If it is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp. The collected access point/geo-location information is stored in encrypted form on the device for later exfiltration. The malware itself does not beacon this data to a CIA back-end; instead the operator must actively retrieve the log file from the device – again using separate CIA exploits and backdoors.”
The data is encrypted and logged, and the malware’s operator can manually retrieve this log by connecting to the infected device. The ELSA malware could be customized by CIA operators in order to match the target environment and mission objectives.
“The ELSA project allows the customization of the implant to match the target environment and operational objectives like sampling interval, maximum size of the logfile and invocation/persistence method,” continues WikiLeaks. “Additional back-end software (again using public geo-location databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to geo-location data to create a tracking profile of the target device.”
Below the list of release published by Wikileaks since March:
(Security Affairs – Elsa malware, CIA)