Bombshell claims by WikiLeaks that the CIA actively developed “hacking tools” to compromise billions of everyday electronic devices, only to then lose control of the techniques, has stunned the cyber community.
On March 7, WikiLeaks released documents leaked from a “high security” network within the CIA. The files, dubbed “Vault 7,” have been described by the whistleblowing site as the “largest ever publication of confidential documents” on the CIA.
The documents purportedly hold details about the agency’s capabilities to tap into smartphones, televisions and messaging apps, even before encryption has been applied.
The CIA has refused to comment on the authenticity of the documents and the source of the leak has not been revealed. However, the incident has reignited fears about whether privacy can ever truly be guarded in the modern world.
Here’s what you need to know about the Vault 7 release:
– A treasure trove of spy material
WikiLeaks said the release is just 1 percent of the Vault 7 documents it has obtained. The first leak contains approximately 8,761 files and millions of codes, which allegedly originate from a CIA center in Langley, Virginia and date from 2013 to 2016.
The details provided so far by WikiLeaks read like a program hell-bent on gathering information that could be used to exploit security vulnerabilities in tech made by some of the world’s biggest manufacturers.
According to the leaks, malicious software capable of leaving false author fingerprints may also have been developed by the CIA, in order to pin the blame of global hacks on different nations.
“The technology is designed to be unaccountable, it’s designed to be untraceable, it’s designed to hide itself,” Assange said of the spy material. “It’s designed to throw off people looking to see where there are fingerprints that might demonstrate who authored that technology.”
– CIA ‘hacking arsenal’
Labelled a “hacking arsenal”by WikiLeaks, the documents offer information about a CIA Engineering Development Group (EDG) tasked with developing a “global covert hacking program.” The program includes ways to gather “geolocation, audio and text communications” from phones without people’s knowledge.
The leaks also state the CIA created malware and trojans to allow hackers to covertly take over computers. To date, Apple’s iOS operating system, Google’s Android phones, Telegram, WhatsApp and Microsoft Windows programs are said to have been targets.
The top selling television brand in 2015, Samsung, was also subject to the surreptitious advances by the CIA, according to WikiLeaks. The company’s smart television device was reportedly earmarked for a fake “off-mode” hack, through which audio could be secretly recorded.
– Assange offers to coach companies on CIA tactics
In a livestream Thursday, Assange said WikiLeaks is prepared to offer its technical expertise to companies that have suffered “billions of dollars of damage” as a result of nation-state hacking.
“We have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out,” he said.
Tech firms such as Samsung and Apple have since moved to allay customers’ fears, although company concern over unknown software vulnerabilities is palpable. “While our initial analysis indicates that many of the issues today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities,” Apple said.
Samsung said: “Protecting consumers’ privacy and the security of our devices is a top priority,” and added, “We are aware of the report in question and are urgently looking into the matter.”
Google says it is confident that its security updates have patched areas open to exploitation. However, it is continuing to carry out an investigation into their concerns. “Our analysis is ongoing and we will implement any further necessary protections,” the search engine giant told Recode.
Meanwhile, Microsoft told CNET that customers using Windows 10 are safe from “dated” vulnerabilities, saying: “We take security issues very seriously and are continuing a deeper analysis to determine if additional steps are necessary.”
Telegram, the encrypted messaging service, pointed out that it is up to the device and operating system manufacturers to plug gaps open to prying intelligence agencies. It added: “The tools from ‘Vault 7’ are like a map of [secret] tunnels. Now that device and OS manufacturers like Apple and Google will get this map, they can start filling in the holes and boarding up the passages.”
– Digital Geneva Convention
Outside of a scramble to secure products and maintain consumer trust, the WikiLeaks revelations have led to more broad suggestions on how to stem seemingly runaway government surveillance.
One such idea has been a so-called “Digital Geneva Convention,” mooted by Microsoft president Brad Smith in February and then promoted by WikiLeaks founder Julian Assange during a Vault 7 video stream.
The concept would most likely be symbolic and a benchmark for government cyber activities.
Microsoft’s vision of such a global consensus involves tech companies and private sector businesses being out of bounds for nation-state hacking. It also states that any cyber weapons developed by governments would not be “reusable.”