A new release by Wikileaks of thousands of top-secret documents from the Central Intelligence Agency has revealed for the first time that the agency is actively hacking a wide variety of smart devices, even smart televisions.
The “Year Zero” release, the first part of what Wikileaks dubs “Vault 7,” includes 8,761 documents and files said to have been obtained from the high-security CIA Center for Cyber Intelligence division. It details the use of a veritable hacking arsenal: malware, viruses, trojans, weaponized zero-day exploits, malware remote control systems and associated documentation.
Disturbingly, the documents detail different forms of malware and zero-day exploits that have been used to obtain data and to spy on users of Apple’s iPhone, Google’s Android phones, Microsoft Windows computers and even Samsung smart televisions, including the ability to turn all of those devices into covert microphones.
Wikileaks points out in a media release that this means that the CIA’s Cyber division has become more powerful than the National Security Agency:
By the end of 2016, the CIA’s hacking division, which formally falls under the agency’s Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other “weaponized” malware. Such is the scale of the CIA’s undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its “own NSA” with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.
The extent of the CIA’s hacking tools do not stop at the operating system level. The tools are also said to be able to compromise otherwise encrypted messaging apps including Signal, WhatsApp, Telegram, Weibo and Confide.
— WikiLeaks (@wikileaks) March 7, 2017
“These developments are troubling for many reasons,” Absolute Software Corp. Global Security Strategist Richard Henderson told SiliconANGLE via email. “Firstly, the fact that a government intelligence agency has been actively purchasing, developing, and distributing critical vulnerabilities in ubiquitous consumer devices forces us to ask some very hard questions about the levels of oversight these agencies have right now.”
What’s more, he said, “this incident makes it crystal clear to me that the government push to mandate or legislate backdoors into devices (which Apple pushed back on recently) can never be successful. These backdoors will leak out into the open, making it entirely likely that agencies not friendly to the West will also take advantage of these vulnerabilities.”
While the extent of the CIA’s abilities are disturbing, some argue that encryption is not dead. Protonmail Inc. spokesman Alex Rosier told SiliconANGLE via email that “after an in-depth analysis, we can confirm that none of the Vault7 disclosures indicate any compromise of the core cryptography that underpins ProtonMail and other popular encrypted services.” He also said that Signal, Whatsapp and similar encrypted messaging tools are not compromised either.
That doesn’t, however, negate that fact that messages may have been intercepted at an operating-system level before entering the encrypted apps because both iOS and Android were compromised, as Edward Snowden points out in a tweet:
PSA: This incorrectly implies CIA hacked these apps / encryption. But the docs show iOS/Android are what got hacked – a much bigger problem. https://t.co/Bw9AkBpOdt
— Edward Snowden (@Snowden) March 7, 2017
The data itself is still being analyzed by security experts, so without doubt there will be more revelations to come from it. Wikileaks also has promised to release further documentation in coming weeks.
What can be taken away from what we know so far is that no data is ever safe and secure, and that users should always presume that anything they say or do, not only via mobile phone but in their living rooms could be being monitored.