WikiLeaks has issued a blockbuster press release today along with a tranche of documents that were leaked to it that describe the CIA’s efforts to infiltrate people’s communications systems. The documents reveal that the CIA targeted smartphones and computers and turned so-called Smart TVs into eavesdropping devices. The documents allege that the CIA then lost control of this spying arsenal which means that others may now possess these same capabilities, which would constitute a massive breach in its security systems.
Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.
“Year Zero” introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of “zero day” weaponized exploits against a wide range of U.S. and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.
WikiLeaks has been working with the German publication Der Spiegel and the Italian publication La Repubblica to disseminate this information. The Der Spiegel report says:
According to a WikiLeaks press release, the cache of documents, christened “Vault 7” by organization, provides an overview of the CIA’s secret hacking arsenal, including malware, viruses, Trojans and the targeted exploitation of systemic weaknesses, referred to as “Zero Day Exploits” in the parlance. The documents indicate that the tools enable the CIA to breach Apple iPhones, Android devices from Google, Windows computers and even televisions.
The material published by WikiLeaks is from an anonymous source. According to the platform, the material has been circulating among former U.S. government hackers and contractors, which is how it found its way to the whistleblowing platform. According to a WikiLeaks statement, the source hopes the publication of the documents will trigger a debate on how the use of cyberweapons can be democratically legitimized and controlled.
WikiLeaks claims to have spent several months reviewing the documents. In contrast to past data dumps, WikiLeaks edited and redacted parts of the documents prior to publication.
Edward Snowden has commented on the latest leaks.
Edward Snowden, who is in exile in Russia, said in a series of tweets the documents seemed genuine and that only an insider could know this kind of detail. “Still working through the publication, but what @Wikileaks has here is genuinely a big deal. Looks authentic.”
He added: “If you’re writing about the CIA/@Wikileaks story, here’s the big deal: first public evidence USG(US government) secretly paying to keep US software unsafe.” He described this as “reckless beyond words”.
The La Repubblica report describes the kinds of things the CIA did.
Last year, speaking to the US Senate the head of the US intelligence community, James Clapper, declared: “In the future, intelligence services might use (the internet of things) for identification, surveillance, monitoring, location tracking”. Clapper was certainly not an oracle predicting the future: according to the WikiLeaks’ files, the CIA has been able since 2014 to implant malware on on a well-known model of smart TV to capture conversations inside the room where the TV is connected to the Internet. The programme is called “Weeping Angel” and it was developed by the Embedded Development Branch in collaboration with the British intelligence services.
This report also says that the source explained to WikiLeaks why s/he decided to release the documents.
Many of these documents are classified and contain even the identities of CIA’s personnel, which WikiLeaks has not published but it has rather redacted. According to the organisation, these files have been available in “an isolated, high-security network situated inside the Cia’s Center for Cyber Intelligence in Langley, Virginia”, but recently the Cia “lost control of the majority of its hacking arsenal”: this archive “appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive”.
…WikiLeaks claims that the source for these documents made a statement to the organisation, explaining his rationale for providing these files: “The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons”.
After Chelsea Manning and Edward Snowden, I expressed the hope that other courageous individuals would follow their example and release information that the public had a right to know. This latest leak shows the evolving nature of such releases. In the case of Manning, WikiLeaks did an indiscriminate data dump of all the files they received. With Snowden, the release was more measured with him releasing the documents to selected journalists with the understanding that only material in the public interest would be vetted and released. The latest leak follows that second pattern.
More revelations from the documents are promised. You can be sure that there will be a massive search for the leaker.
There are a lot of security practitioners (ahem!)(*waves hand*) who have been saying for years that building these sorts of capabilities invites their being stolen. In fact a few years ago I saw a business plan by someone who was looking at devising ways of taking over whole botnets (“wanna buy a hot russian botnet of 200,000 nodes?”) permanently. Imagine how much some of those CIA and NSA tools’ penetrated targets would be worth…? Lots. My opinion is that the decision-makers in the intelligence community aren’t very smart or thoughtful -- they pursue bad strategies that are practically designed to fail. For example, the over-reliance on contractors: that was a strategy predicated on two things 1) getting around the amount of time and effort it took to background-check and clear people 2) pursue the corporatist agenda of privatizing as much as possible. The funny part is that corporatism doesn’t result in savings -- even then there are efficiencies, the savings are recaptured: you wind up with bigger agencies never cheaper ones. You could fairly blame a lot of the leaking on more efficient information management systems that were put in place to deal with the glut of classified material.
Marcus,
I also thought that the privatization of military and CIA and NSA to contractors served another purpose and that was to allow the heads of those government agencies to wash their hands of any messes that might occur, by blaming the contractors.
Mano Singham@#2:
to allow the heads of those government agencies to wash their hands of any messes that might occur, by blaming the contractors
That would presuppose that they were actually being held responsible for their failures. In principle that might happen, but it doesn’t appear to be a real concern. Yeah, there’s a certain amount of “blame it on a contractor” when a program fails or runs over budget but the contractors know they’ll just bid for the reboot and nobody’ll notice.
Seriously, can you think of any time that someone at NSA or CIA has been held accountable for a screw-up? Even the Bay of Pigs didn’t ruin any careers.