On Tuesday, WikiLeaks released new documents that reveal an arsenal of CIA hacking tools that are being used to break into internet-connected devices such as smartphones, computers, and even televisions.
The document dump, code-named “Vault 7,” was acquired by WikiLeaks from someone who they say is a “former U.S. government hacker and contractor.” WikiLeaks says that their source provided them with the documents because they raise serious questions that need to be debated in public, such as the amount of public oversight needed for the CIA and the “security, creation, use, proliferation and democratic control of cyberweapons.”
The first part of the dump, which is promised as a series, is called “Year Zero” and “comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virginia.”
WikiLeaks claims that the CIA recently lost control of tools in its hacking arsenal, including viruses, malware, weaponized “zero day” exploits and malware remote control systems.
This amounts to more than several hundred million lines of code, the entire hacking capacity of the CIA, and now could be in the hands of anyone around the world. As WikiLeaks states, “The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner.” This means that the CIA’s arsenal of privacy-crushing cyberweapons could be in the hands of criminals and foreign spies.
The hacking tools that are part of the CIA’s arsenal include tools in which to hack U.S. and European company products such as Apple’s iPhone, Google’s Android, and Samsung TVs. According to the documents, the tools the CIA uses can hack into these products and operate them remotely, and turn them into surveillance devices.
“The potential privacy concerns are mind-boggling”
Politicians are responding to the leak by calling for an immediate congressional investigation. U.S. Rep. Ted Lieu (CA) stated, “I am deeply disturbed by the allegation that the CIA lost its arsenal of hacking tools. The ramifications could be devastating. We need to know if the CIA lost control of its hacking tools, who may have those tools, and how do we now protect the privacy of Americans.”
Julian Assange believes the documents show “an extreme proliferation risk in the development of cyber ‘weapons.’”
According to the leak, the program nicknamed “Weeping Angel” uses Samsung smart TVs as listening devices. Even when the TV appears to be turned off (“Fake-Off”) it can operate as a bug, recording conversations in the room and sending them over the internet to a covert C.I.A. server.” This technology was created with the help of British Intelligence.
The documents also claim that in 2014 the CIA was exploring the possibility of hacking into the internet-connected systems of modern cars.
CIA spokeswoman Heather Fritz Horniak responded by saying, “We do not comment on the authenticity or content of purported intelligence documents.”
WikiLeaks took care to redact any names and other identifying information from the collection so as not to expose individuals involved in the leak. This includes the redactions of “tens of thousands of CIA targets and attack machines throughout Latin America, Europe and the United States. They also made sure to withhold computer code for any of the usable cyberweapons “until a consensus emerges on the technical and political nature of the C.I.A.’s program and how such ‘weapons’ should be analyzed, disarmed and published.”
Not only do the documents revealed by WikiLeaks show that the CIA has managed to infiltrate personal devices, and use them to spy on people’s personal lives, but that they also practice framing other hackers for their deeds. The CIA policy is that its hackers must use cyberweapons in a way that cannot be traced back “CIA, U.S. government, or its witting partner companies.”
The techniques used by the CIA are effective against encryption software that many people use on the smartphones, such as WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman, by “hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied.”
CIA hoards vulnerabilities
Another serious implication of the documents reveals that rather than disclose serious vulnerabilities, exploits, bugs or “zero days” to device manufacturers – something that the U.S. technology industry was assured of by the Obama administration – the CIA has hidden these problems.
After the U.S. government was lobbied by technology companies they stated that they would disclose all pervasive vulnerabilities discovered after 2010. These documents show that this has not been the case. The CIA has instead been discovering these vulnerabilities and then utilizing them for their own advantage. Because they have not shared them, manufacturers such as Apple and Google will not be aware and may not fix the holes, leaving devices hackable.
Hiding these vulnerabilities poses a huge risk. It leaves critical infrastructure at risk to foreign intelligence or cyber criminals. As WikiLeaks states, “If the CIA can discover such vulnerabilities so can others.”
If authentic, Vault 7 will one of the biggest leaks of classified information in recent years, in the same category as the Chelsea Manning leaks of 2010 and the NSA leaks by Edward Snowden in 2013.
Cyberwarfare and cyberweapons are serious business and extraordinarily difficult to contain. Not only are they built on data that can be copied quickly with very little cost, once any of these cyberweapons are set “loose” they can spread around the world in seconds.
Read the entire analysis of the Vault 7 release here.