WikiLeaks has released thousands of documents that it claims show how the Central Intelligence Agency can break into smartphones, computers and other connected devices, including smart TVs.
The trove, which WikiLeaks is dubbing “Vault 7,” purports to be a massive archive of CIA material consisting of several hundred million lines of computer code that has been “circulated among former US government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”
“This demonstrates conflicting challenges faced by the security developer community,” said Vikram Kapoor, co-founder and CTO at Lacework, a Mountain View, Calif. based provider of cloud security solutions, via email. “On one hand, this has scary implications for individual privacy rights and shows how extensively some of the systems can be hacked. On the other hand, it demonstrates how hard it is to manage security for insider risk and cloud workloads today for organizations.”
Most centrally, the documents show ways that the agency allegedly can hack mobile phones and can bypass the encryption used by messaging services like Signal, WhatsApp and Telegram. After penetrating Android phones, the CIA can collect “audio and message traffic before encryption is applied,” WikiLeaks said.
He purported intelligence documents also include detailed information on CIA-developed malware—dubbed things like Assassin and Medusa. And, the documents point to an entire alleged unit in the CIA is devoted to hacking Apple products. Further, WikiLeaks alleges that the CIA is proven here to have deliberately failed to disclose security vulnerabilities and bugs to major US software manufacturers, choosing instead to leverage them for their own ends.
On a darker front, the documents claim that the CIA maintains remote hacking programs to turn various connected devices, including smart TVs, into recording and transmitting stations, with the feeds sent back to secret CIA servers.
Other capabilities “would permit the CIA to engage in nearly undetectable assassinations,” WikiLeaks said. One document lays out actions that the CIA allegedly took to infiltrate and take over vehicle control systems in cars and trucks.
“Many of the vulnerabilities cited in this tool set are well-known,” said Andrew McDonnell, president at AsTech, a San Francisco-based security consulting company, via email. “Smart TVs, old Android phones (such as the President's), unpatched routers, and a host of other devices have known vulnerabilities that are not exclusive to the CIA. These implementations may have been exclusive, but that doesn't mean only the CIA had exploits. If genuine, there are likely some proprietary vulnerabilities or zero-days in there. Ultimately, secret backdoors in software—whether intentional or based on an exploit—make everyone less safe: there's no way to control who uses them.”
The source of the documents was not named, no news organization has verified the documents’ authenticity, and the CIA has said that it will not comment. However, a former intelligence officer told the New York Times that some of the code names for CIA programs, an organization chart and the description of a CIA hacking base appeared to be genuine.
Edward Snowden meanwhile has weighed in via Twitter, saying that he too believes the information to be real.
“Program & office names, such as the JQJ (IOC) crypt series, are real. Only a cleared insider could know them,” he tweeted.
The initial release, which WikiLeaks said was only the first part of the document collection, includes 7,818 web pages with 943 attachments. The documents, from the CIA’s Center for Cyber Intelligence, are dated from 2013 to 2016, and the sum total of the cache is the “entire hacking capacity” for the CIA.
WikiLeaks said it was not releasing any cyberweapon code itself “until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should be analyzed, disarmed and published.”
Fred Wilmot, CEO at Packetsled, told us that the ethics of the situation don’t stand the CIA in good stead, should the documents prove to be legitimate.
"There is nothing to debate about the security, creation and proliferation of cyberweapons,” he said via email. “However, there is plenty to debate about privacy, audit and transparency for Americans when it comes to their homes, their personal data and their required level of cognition necessary to protect themselves from any cyberweapons in today's connected world.”