Government

WikiLeaks drops revelations of an alleged broad CIA hacking arsenal

On March 7 2017, WikiLeaks began its new series of leaks on the U.S. Central Intelligence Agency. Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency. The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virginia.

The technology industry has been scrambling to understand the implications of the alleged CIA hacking arsenal described in the WikiLeaks documents, which is said to be capable of spying on phones and other connected devices – even end-to-end encrypted applications like WhatsApp.

Major technology firms, such as Apple and Samsung, have responded to the revelations saying they are looking closely at the released documents. Apple said in a release, "While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue to work rapidly to rapidly address any identified vulnerabilities."

Samsung responded publicly to the revelations, saying: "We are aware of the report in question and are urgently looking into the matter." Meanwhile, Microsoft said it is "aware of the report" and is "looking into it".

Some analysts, however, doubt the severity of the leaked documents, especially because they have not been confirmed as authentic yet. The 2013 revelations from former US national security contractor Edward Snowden, who revealed mass surveillance tools used by the National Security Agency, are seen by some as more controversial.

Since 2001 the CIA has gained political and budgetary preeminence over the U.S. National Security Agency (NSA). The CIA found itself building not just its now infamous drone fleet, but a very different type of covert, globe-spanning force — its own substantial fleet of hackers, says a WikiLeaks release.

The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities.

By the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI), had over 5,000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other "weaponized" malware.

Such is the scale of the CIA's undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its "own NSA" with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.

In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA's hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons, says the WikiLeaks release.

"These are targeted mechanisms; they can't be used for bulk intelligence," said Joseph Hall, a technologist with the Center for Democracy and Technology, a digital rights organization. "It means they can't attack things in the middle and the core of the network, they have to go to the endpoints, and that's actually a nice thing. You have to be more precise about who you are targeting."

But the report raises serious concerns about the US government's promise to disclose security flaws to technology firms under a so-called "vulnerabilities equities process." The pledge suggests that "security flaws should get back to the companies so they can get fixed, and not languish for years," said Hall.

The leaked documents by WikiLeaks indicates that the CIA has tools that could turn smart TVs into listening devices, bypass popular encryption apps such as WhatsApp, and potentially control connected automobiles. The documents suggest CIA tools have targeted iPhones, Android systems which is what US President Donald Trump's personal phone uses, and also popular Microsoft software.

Open Whisper Systems, the company that developed the technology for the communications tool Signal, said the CIA documents showed its encryption works. The WikiLeaks report "is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption," the group said in a tweet. Other encryption experts agreed.

In a blog post, Steve Bellovin, a Columbia University computer science researcher, said the existence of these hacking tools is "a testimonial to the strength of the encryption." He said it's "hard or impossible to break, so the CIA is resorting to expensive, targeted attacks."

Other experts suggest that the hacks are simply a method of the CIA to trick people into installing their software. "Snowden revealed how the NSA was surveilling all Americans," said Robert Graham, a researcher with Errata Security.

"Nothing like that appears in the CIA dump. It's all legitimate spy stuff (assuming you think spying on foreign adversaries is legitimate)."

Bruce Schneier, chief technology officer at IBM Resilient and a frequent critic of government surveillance, said on his blog: "There is absolutely nothing illegal in the contents of any of this stuff. It's exactly what you'd expect the CIA to be doing in cyberspace."