I was surprised that the leaks from within the CIA of nearly 9,000 documents that WikiLeaks has labeled ‘Vault 7’ that revealed information about its spying methods on Americans and how they lost control of the systems it was using have not received much greater prominence in the news, though it is now receiving more scrutiny as both the FBI and CIA launch criminal investigations into the leaks.
But The Intercept has been following the story closely and have three reports. Jenna McLaughlin describes the many malware tools used by the CIA and the targets of the attacks, one of whose goals was to take full control of Apple and Android devices.
The attacks allow for varying levels of access — many powerful enough to allow the attacker to remotely take over the “kernel,” the heart of the operating system that controls the operation of the phone, or at least to have so-called “root” access, meaning extensive control over files and software processes on a device. These types of techniques would give access to information like geolocation, communications, contacts, and more.
The CIA exploited what are called ‘zero day’ vulnerabilities without informing the companies of the security holes, thus allowing others to also use them.
Some of the attacks are what are known as “zero days” — exploitation paths hackers can use that vendors are completely unaware of, giving the vendors no time — zero days — to fix their products. WikiLeaks said the documents indicate the CIA has violated commitments made by the Obama administration to disclose serious software vulnerabilities to vendors to improve the security of their products.
At least some civil liberties advocates agree with the WikiLeaks assessment. “Access Now condemns the stockpiling of vulnerabilities, calls for limits on government hacking and protections for human rights, and urges immediate reforms to the Vulnerabilities Equities Process,” Nathan White, senior legislative manager for digital rights group Access Now, wrote in response to the new leak in a press release.
This is why Edward Snowden said these revelations are a “big deal” and that the big story here is that the US government was “developing vulnerabilities in US products, then intentionally keeping the holes open”, and thus vulnerable to hackers, actions that he described as “reckless beyond words”.
Sam Biddle discusses in more detail the ‘Weeping Angel’ project (where do they come up with these names?) that involve planting malware that turns Smart TVs into listening devices. The report initially identified only Samsung TVs but it is unlikely that they stopped there and some companies have reacted to the news.
Apple, one of numerous tech companies whose devices appear to have been targeted, released a statement late on Tuesday saying many of the vulnerabilities described by the documents were already fixed as of the latest version of its iOS mobile operating system, and aimed to reassure customers that it was working on patching the rest of the holes.
It said: “While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities,” it added. “We always urge customers to download the latest iOS to make sure they have the most recent security updates.”
Other companies mentioned in the leaks, including Microsoft and Samsung, gave briefer statements. “We are aware of the report and are looking into it,” Microsoft said. Samsung said: “Protecting consumers’ privacy and the security of our devices is a top priority at Samsung. We are aware of the report in question and are urgently looking into the matter.” Google has yet to comment on the leaks, which contain a sizeable amount of information on how to target its Android operating system.
Biddle and Micah Lee say that some initial reports that the CIA was able to overcome the encryption systems in supposedly secure social network sites like WhatsApp and Signal were overstated.
By specifically mentioning these apps, news outlets implied that the agency has a means of getting through the protections built into the chat systems. It doesn’t. Instead, it has the ability, in some cases, to take control of entire phones; accessing encrypted chats is simply one of many security implication of this. Wikileaks’ own analysis of the documents at least briefly acknowledges this, stating that CIA “techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied.”
Contrary to the clear implication from these journalists and news sources, the documents WikiLeaks published do not appear to show any attack specific to Signal or WhatsApp, but rather a means of hijacking your entire phone, which would of course “bypass” encrypted chat apps because it thwarts virtually all other security systems on the device, granting total remote access to the CIA.
There is going to be renewed scrutiny of government spying now that FBI director James Comey has declared that privacy is dead.