Yesterday, WikiLeaks published thousands of pages of what appeared to be leaked internal CIA documents.
The haul, which WikiLeaks has somewhat pretentiously dubbed “Vault 7”, is claimed to be “the largest ever publication of confidential documents on the agency.”
The first 8,761 documents released by WikiLeaks appear to be fairly recent, and have been dubbed “Year zero” (again, for reasons perhaps best known to Julian Assange).
Some of the juicier titbits contained within the documents are already making plenty of headlines.
Unfortunately, some of the reporting has been sloppy.
Take, for instance, WikiLeaks’s claim that the CIA can use zero-day vulnerabilities to “bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman”. This sloppy language led some journalists to report that the CIA had found a vulnerability in the secure chat apps that allowed them to snoop on “secure” messages.
But that’s not true.
Instead, it appears that WikiLeaks is merely referring to the CIA’s ability to infect smartphones with spyware that can record conversations and keystrokes. No-one wants to be snooped on in that way, of course, but it’s a very different prospect from secure apps like Signal being found to contain a fundamental weakness.
If an unauthorised party has physical access to your computer or mobile device then all bets are off. Of course they could install spyware onto it.
The report resulted in Whisper Systems, the brains behind the Signal encrypted messaging app, putting the record straight:
The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.
— Signal (@signalapp) March 7, 2017
Indeed you could argue that apps like Signal are doing a great job at securing their end-to-end encrypted communications if authorities have to go so far as intentionally meddling with one of the devices to discover what is being communicated.
You may also hear news reports of the CIA turning smart TVs into insidious spying device, keeping a crafty eye and ear on viewers, following the following assessment made by WikiLeaks in its press release:
The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell’s 1984, but “Weeping Angel”, developed by the CIA’s Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones, is surely its most emblematic realization.
The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS. After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on. In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.
Again, there’s some need for a fact check here.
“Weeping Angel”, named after a terrifying Doctor Who monster that you really shouldn’t blink at, is installed via a USB stick.
If you’re worried about the prospect of an intelligence agency breaking into your home in order to plug a malicious USB stick into the back of your Samsung Smart TV then I’d argue you probably should also be worrying that intelligence agencies are breaking into your house full stop.
After all, who knows where else they could be installing surveillance devices?
Now if there was any evidence that the Weeping Angel surveillance module could be installed onto smart TVs remotely without having to creep around someone’s house, or that TVs were being meddled with in the supply chain before arriving in households, then, well, maybe that would be more alarming.
Over the coming days there will no doubt be much more to dig out from WikiLeaks’ CIA files leak. In the meantime, here are some interesting articles to keep you occupied:
- Reuters: WikiLeaks says it releases files on CIA cyber spying tools
- The Intercept: The CIA didn’t break Signal or WhatsApp, despite what you’ve heard
- Ars Technica: After NSA hacking exposé, CIA staffers asked where Equation Group went wrong
One final thing.
WikiLeaks claims that the CIA has been “hoarding” serious zero-day vulnerabilities and exploits that allow it to break into and spy upon technology from the likes of Apple, Google, Microsoft and other manufacturers.
WikiLeaks then correctly says that not sharing details of the vulnerabilities with vendors and manufacturers is a bad thing – because it prevents the right people from patching the vulnerabilties and making us all stronger. And, more than that, while left unpatched there is nothing to stop intelligence agencies in other countries to exploit the same security holes for their own spying activities.
I agree with that. I believe if a vulnerability is found it should be responsibly disclosed to the vendor or manufacturer so a proper fix can be put in place – to the benefit of all users around the world.
WikiLeaks so far has held back, not publicly releasing the alleged CIA hacking tools and exploit code. I hope they choose not to make them public as I doubt any good will come of it. Instead, Wikieaks should share the information they acquired with the vendors who are best placed to fix the security holes.
Anything less than that is simply making things worse for all of us.
You can hear some of my personal views about WikiLeaks’s release of the “Vault 7” CIA data dump in this episode of the “Smashing Security” podcast where I was joined by Carole Theriault and special guest Paul Ducklin (better known as “Duck”).