On March 7th, WikiLeaks published a catalogue of documents containing details of secret hacking tools used by the CIA. They called this information “Vault 7” and have promised the leak is just a small part of a much bigger cache of data, which they will release shortly.
The documents date from 2013 to 2016 and contain detailed reports on how the CIA could turn computers, telephones, SMART TVs and routers into remote spying devices, as well as bypassing encrypted messaging services by hacking into Apple and Android mobiles.
Who leaked the information?
A rogue employee? Theft involving a CIA contractor? Espionage?
WikiLeaks said the material came from “an isolated, high-security network” inside the CIA’s Centre for Cyber Intelligence. It said the documents were “circulated among former US government hackers and contractors in an unauthorised manner, one of whom has provided WikiLeaks with portions of the archive”.
It seems probable that CIA contractors were the likely source of the leak. Which does raise a rather important question about who exactly would be motivated to leak this information, and how long it will take for the CIA to catch them to prevent any further damaging disclosures.
What does the leaked information mean?
Basically, the US Government has done more cyber espionage than everyone thought.
The leaks detail how the CIA have been sending spies across the EU to obtain malware created in different European countries. Additionally, the agency gained cyber weapons by trading, buying, and selling malware from the British intelligence service MI5.
Each piece of malware collected has some way to identify which country it originates from. The CIA are therefore able to exploit this by pretending that attacks have originated from other countries, rather than themselves, e.g. laying “false attribution”. So, for example, if the CIA obtained malware from a country such as China, then used these tools to attack targets in France, then the French would conclude that the Chinese government ordered the attacks.
In addition to this the CIA have been collecting “zero-day exploits”. Zero-day exploits are problems in code that are unknown to the original programmer and a customer. These problems allow a hacker to easily collect data from the world’s most popular technology platforms. These tools would allow the CIA to take almost complete remote control of a user’s phone, turning it into a remote spying device reporting back to the agency. Another document discusses hacking vehicle systems, appearing to show the CIA’s interest in hacking recent car models that use sophisticated on board computer systems.
Can they listen to us through our TVs?
Have you seen the panicky headlines about how a government can listen to your conversations through your SMART televisions?
Supposedly, the CIA have a tool called “Weeping Angel” (nerdy Dr Who reference) which has been developed in partnership with GCHQ. This tool enables CIA agents to use a Samsung SMART TV to spy on civilians, by recording conversation over the TV microphone.
However, this isn’t as worrying as you might think, as a USB stick would have to be physically inserted into a TV port to enable spies to hack into the SMART TV. So, if your house hasn’t been recently infiltrated by CIA agents, you should be OK.
Should I be worried?
Have you done anything which is likely to attract the attention of the CIA? No? Then don’t worry too much.
It is well known in the cyber security community that intelligence agencies are exploiting flaws in technology to conduct espionage. As Nicholas Weaver, a security researcher at the International Computer Science Institute in Berkeley recently blogged, “The story here isn't that the CIA hacks people. Of course, they do; taxpayers would be right to be annoyed if that weren't the case,”. [http://nweaver.blogspot.co.uk/]
Also, the cost of carrying out attacks is high, and each time they are used it risks them being rendered useless if they are discovered and fixed. That means that it’s unlikely the CIA is using such techniques to hack millions of mobile phones at once.
As security researcher Matt Blaze tweeted recently [https://twitter.com/@mattblaze], “These kinds of exploits don’t just let them read everyone’s traffic over the ‘net at the push of a button.”
This is not about mass surveillance but instead about the CIA monitoring specific targets.
But the attacks are still important
The attacks show that we need to know how someone could do this, so that we can protect ourselves against any future cyber incidents. If WikiLeaks releases details of the hacking tools, then criminals will seek to use and modify these tools for their own personal gain. If they ended up in the wrong hands, it could be very dangerous.
However, the most serious issue is the problem of identifying who was behind the WikiLeaks disclosure, and their motivations. There must be somebody on the inside — whether it's a contractor or an employee within the CIA — handing over the information. Surely therefore the main priority is to catch the mole before any more damaging data is released?
At 2-sec, we are completely unsurprised that espionage agencies are collecting and monitoring cyberattack techniques. Don’t forget that cyber warfare can be just as dirty as regular warfare, and it is almost impossible to enforce any rules, so agencies need to be examining the latest tools and techniques to be able to protect against future attackers.
Matt Blaze, has the final word: “What can you do as a user to defend? Boring stuff. Keep your software up to date. Don’t run unneeded apps.” But, most important of all: “Don’t become a CIA target.”