Yesterday, WikiLeaks published thousands of pages of what appeared to be leaked internal CIA documents.
The haul, which WikiLeaks has somewhat pretentiously dubbed “Vault 7”, is claimed to be “the largest ever publication of confidential documents on the agency.”
The first 8,761 documents released by WikiLeaks appear to be fairly recent, and have been dubbed “Year zero” (again, for reasons perhaps best known to Julian Assange).
Some of the juicier titbits contained within the documents are already making plenty of headlines.
Unfortunately, some of the reporting has been sloppy.
Take, for instance, WikiLeaks’s claim that the CIA can use zero-day vulnerabilities to “bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman”. This sloppy language led some journalists to report that the CIA had found a vulnerability in the secure chat apps that allowed them to snoop on “secure” messages.
But that’s not true.
Instead, it appears that WikiLeaks is merely referring to the CIA’s ability to infect smartphones with spyware that can record conversations and keystrokes. No-one wants to be snooped on in that way, of course, but it’s a very different prospect from secure apps like Signal being found to contain a fundamental weakness.
If an unauthorised party has physical access to your computer or mobile device then all bets are off. Of course they could install spyware onto it.
The report resulted in Whisper Systems, the brains behind the Signal encrypted messaging app, putting the record straight:
The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.
— Signal (@signalapp) March 7, 2017
Indeed you could argue that apps like Signal are doing a great job at securing their end-to-end encrypted communications if authorities have to go so far as intentionally meddling with one of the devices to discover what is being communicated.
You may also hear news reports of the CIA turning smart TVs into insidious spying device, keeping a crafty eye and ear on viewers, following the following assessment made by WikiLeaks in its press release:
The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell’s 1984, but “Weeping Angel”, developed by the CIA’s Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones, is surely its most emblematic realization.
The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS. After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on. In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.
Again, there’s some need for a fact check here.
“Weeping Angel”, named after a terrifying Doctor Who monster that you really shouldn’t blink at, is installed via a USB stick.
If you’re worried about the prospect of an intelligence agency breaking into your home in order to plug a malicious USB stick into the back of your Samsung Smart TV then I’d argue you probably should also be worrying that intelligence agencies are breaking into your house full stop.
After all, who knows where else they could be installing surveillance devices?
Now if there was any evidence that the Weeping Angel surveillance module could be installed onto smart TVs remotely without having to creep around someone’s house, or that TVs were being meddled with in the supply chain before arriving in households, then, well, maybe that would be more alarming.
Over the coming days there will no doubt be much more to dig out from WikiLeaks’ CIA files leak. In the meantime, here are some interesting articles to keep you occupied:
- Reuters: WikiLeaks says it releases files on CIA cyber spying tools
- The Intercept: The CIA didn’t break Signal or WhatsApp, despite what you’ve heard
- Ars Technica: After NSA hacking exposé, CIA staffers asked where Equation Group went wrong
One final thing.
WikiLeaks claims that the CIA has been “hoarding” serious zero-day vulnerabilities and exploits that allow it to break into and spy upon technology from the likes of Apple, Google, Microsoft and other manufacturers.
WikiLeaks then correctly says that not sharing details of the vulnerabilities with vendors and manufacturers is a bad thing – because it prevents the right people from patching the vulnerabilties and making us all stronger. And, more than that, while left unpatched there is nothing to stop intelligence agencies in other countries to exploit the same security holes for their own spying activities.
I agree with that. I believe if a vulnerability is found it should be responsibly disclosed to the vendor or manufacturer so a proper fix can be put in place – to the benefit of all users around the world.
WikiLeaks so far has held back, not publicly releasing the alleged CIA hacking tools and exploit code. I hope they choose not to make them public as I doubt any good will come of it. Instead, Wikieaks should share the information they acquired with the vendors who are best placed to fix the security holes.
Anything less than that is simply making things worse for all of us.
You can hear some of my personal views about WikiLeaks’s release of the “Vault 7” CIA data dump in this episode of the “Smashing Security” podcast where I was joined by Carole Theriault and special guest Paul Ducklin (better known as “Duck”).
Smashing Security #011: 'WikiLeaks and the CIA'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
If they do release the hacking code and exploits, that may be a good thing for us security professionals – bags more work! ;-)
You're short of work?
This story made me wonder–aren't microphones and speakers pretty much the same, just with the signal going opposite ways, and therefore if you could hack into any TV with an internet connection (and USB port), couldn't you theoretically make it do the same using the speakers instead?
I'm sure if it were possible this would have come up before someone thought it was a good idea to add microphones, though.
You don't need an USB stick to install "Weeping Angel"!!!! Get you facts right before you start criticizing some one else to be sloppy with facts!
All you need to do to install "weeping angel" is to hack the TV, which can be done easily depending on how well the security is setup at that specific home, what services that are running on it and how sloppy the home user is with IT-security over all (no firewalls, default passwords, admin access to all users etc…).
When you "are in" all you need to do is to remotely mount an ISO file (or download) with Weeping Angels on it and are then ready to go. No need for physical break in at all.
Hi Bo
My reading of the leaked file ( https://wikileaks.org/ciav7p1/cms/page_12353643.html ) was that the "current" method they had for installation was via USB, and that a Samsung firmware update had already prevented that vector.
I haven't seen any claims in the documents that researchers had managed to install the code remotely.