WikiLeaks yesterday dumped a collection of 8,761 leaked documents originating from the CIA, detailing the covert agency’s work in subverting security features in Android, iOS and even smart televisions. WikiLeaks says that this data dump is supposedly only the first part, dubbed “Year Zero” and there will be subsequent releases. The data collection sheds light on the lengths to which the covert agency has gone in order to be able to engage in espionage. Here’s is the essentials you must know about
What has the CIA Done
The documents leaked show that the CIA has found and even purchased known OS-level vulnerabilities in order to be able to develop tools that will allow them to exploit said vulnerabilities. The agency is shown to have collaborated with British Intelligence in developing one tool, while purchasing the knowledge of vulnerabilities from Cyber Arms Contractors. What has become clear, however, is that the agency has had knowledge of OS-level exploits, which they have chosen to withhold from companies like Google, Apple and Microsoft. This was done as a means of retaining a way to exploit the software created by these companies for their smartphones and other digital devices.
About your Smartphone
The leaked documents reveal that the CIA has had between the years of 2014 to 2016, 24 weaponized exploits available for Android while only 14 for iOS. However, the documents indicate that the CIA has dedicated more resources to develop working exploits for iOS, mostly due to the platform’s preference amongst the political and enterprise segments. The documents show work extending up to iOS 9.2 for Apple’s operating system, while those for Android were more localized to specific versions of Chrome, Opera, devices running Adreno 225 or 320 chipset. There was mention of some Samsung smartphones, and an exploit could take advantage of vulnerabilities in Android KitKat. Thankfully, most of the listed vulnerable programs/devices seem to be rather old. This could make a strong case for why one should stay up-to-date on software updates, however, with these covert agencies, there’s no telling what they are capable of.
Those encrypted messaging apps
The leaked documents suggested that the CIA was in possession of tools that could provide access to messages and audio files shared via Whatsapp, Signal, Telegram and Wibo (and other such apps). However, it should be noted that the tools don’t break the encryption used by these apps, but instead, work by infecting a smartphone and then intercepting the data stream before it is encrypted (on the sender’s side) or right after it is decrypted (on the receiver’s side). Edward Snowden was kind enough to clarify this point, stating that it is not the encryption that’s been broken, but the host device that has been hijacked.
PSA: This incorrectly implies CIA hacked these apps / encryption. But the docs show iOS/Android are what got hacked – a much bigger problem. https://t.co/Bw9AkBpOdt
— Edward Snowden (@Snowden) March 7, 2017
IT is shown in the data dump that the CIA has tools that could target Samsung SmartTVs, putting them into a fake “switched off”, but turning on the microphone in order to record and transmit any conversation that may take place in the room. The information we have so far shows that only Samsung SmartTVs were targeted, but there is no reason to believe that the exploit couldn’t be further developed for SmartTVs from other brands, seeing how they all run a mostly unified version of Android.
The Dangerous Implications
The extent to which the CIA has expanded its effort to exploit digital devices is alarming, to say the least. In an age where all aspects of our lives reside in the digital domain, the impact of the CIA actively withholding OS vulnerabilities from companies is just scary. Let us not overlook the fact that “smart” devices are starting to become more pervasive in our lives. We’ve got smart-locks for homes, smart refrigerators and a whole range of Internet of Things devices. However, the scariest of all is the possibility of the CIA developing tools to hijack an Amazon Echo or Google Home. These are essentially voice-enabled smart speakers which can pick up a lot more than just the commands issued to them, given that they are always listening. The documents also shed light on efforts to develop means of hijacking a car’s on-board computer.
By keeping the vulnerability in Android and iOS secret, not only has the CIA violated an order that was signed by the Obama administration that said that “the executive would disclose on an ongoing basis — rather than hoard — serious vulnerabilities, exploits, bugs or “zero days” to Apple, Google, Microsoft, and other US-based manufacturers.” Additionally, what this means is that while leaving gaping holes open for them to exploit, the CIA has also inadvertently made smartphones less secure, leaving room for other security agencies and hackers to discover and exploit these loopholes. In ensuring a backdoor for their exploit tools, the CIA has played a part in ensuring that other agencies with malicious intent could potentially break into your phone and hijack your data.
Why you shouldn’t ditch all your electronics
While the leak is as embarrassing as it is worrisome, there are a few reason why you probably shouldn’t be worried. For starters, these tools are designed for targeted use and do not appear to be tools of mass surveillance. So the chances that the CIA has planted on of these exploits on your phone is highly unlikely. Second and more importantly, the leak lists various loopholes being exploited in much older version of iOS and Android. Apple came forward and stated that most of the vulnerabilities listed in the WikiLeaks dump have already been patched. Similarly, its only Android KitKat that is wholly vulnerable to exploits and if you’re anyone of any importance, chances are you’re way past that chocolate-named operating system. All in all, the leak doesn’t seem to reveal any of the latest devices as being vulnerable, which is a good thing.
It isn’t earth shattering news that the CIA has exploits that can get into and hijack our phones or other internet connected devices. The real concern here is that the agency purposely held back on sharing information that could have collectively made the digital a whole lot safer of users across all age brackets. However, the biggest concern here is the viability of an ecosystem of “Connected devices.” The possibility of hackers or security agencies being able to turn every camera into a spy-cam and every microphone into a listening device is too Orwellian a future for any of us to want. Pro-tip: Just stick to owning smartphones, refrain from buying any other “smart device.” We also strongly recommend staying up-to-date on software updates.