RELEASE: CIA 'ELSA' implant to geolocate laptops+desktops by intercepting the surrounding WiFi signals wikileaks.org/vault7/#Elsa
Elsa
28 June, 2017
Today, June 28th 2017, WikiLeaks publishes documents from the ELSA project of the CIA. ELSA
is a geo-location malware for WiFi-enabled devices like laptops running
the Micorosoft Windows operating system. Once persistently installed on
a target machine using separate CIA exploits, the malware scans visible
WiFi access points and records the ESS identifier, MAC address and
signal strength at regular intervals. To perform the data collection the
target machine does not have to be online or connected to an access
point; it only needs to be running with an enabled WiFi device. If it is
connected to the internet, the malware automatically tries to use
public geo-location databases from Google or Microsoft to resolve the
position of the device and stores the longitude and latitude data along
with the timestamp. The collected access point/geo-location information
is stored in encrypted form on the device for later exfiltration. The
malware itself does not beacon this data to a CIA back-end; instead the
operator must actively retrieve the log file from the device - again
using separate CIA exploits and backdoors.