WikiLeaks’ release of 8,761 pages of internal CIA documents makes this much abundantly clear: the agency has built a monster hacking operation – possibly the biggest in the world – on the backs of the many internet-connected household gadgets we take for granted.
That’s the main takeaway among security experts Naked Security reached out to after the leak went public earlier Tuesday.
Recap of events
For those just hearing the news, here’s a review of the last several hours:
WikiLeaks Tuesday launched a new series of leaks on the US Central Intelligence Agency it calls “Vault 7”. It claims this will represent the largest dump of confidential documents on the agency in history. The first full part of the series is called “Year Zero” and includes documents and files from an isolated, high-security network inside CIA headquarters in Langley, Virginia.
Wikileaks said in its press release that Year Zero introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of zero-day weaponized exploits against a wide range of US and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are apparently turned into covert microphones.
It’s that mastery of Internet-of-Things (IoT) technology that has caught the attention of experts.
Hacking anything, anywhere
Eric Cowperthwaite, former VP of strategy for Core Security and now director of managed risk services for Edgile, said the CIA has built a capability to hack pretty much anything, anywhere. The CIA potentially has more ability now to intrude into servers, computers, smartphones and electronic communications than even the NSA.
Unfortunately, he added:
This capability is now in the hands of people other than the CIA. All the things you’ve read that seem like science fiction movie plots are really true. Other people can listen to you via your smart TV, can read your email, turn on the webcam on your laptop, without you ever knowing.
Christian Renaud, a 451 Research director specializing in IoT, said there are three possible scenarios at play:
- It’s all a smear campaign by the Russians, Chinese or others to raise concerns about the US intelligence community;
- It’s not a smear campaign and the NSA helped leak CIA sensitive data to gain points on the CIA, their rival; or
- A third party penetrated the CIA and leaked the information à la Snowden to raise awareness of what can only be described as a methodical security war against enemies and US citizens by an intelligence agency.
If the latter is true, he said:
Your government has been using your own devices to spy on you without warrant. If you’re not upset, you should be.
Sobering, but hardly surprising
Though the information certainly has a chilling effect among privacy rights advocates, security experts say the narrative should be of little surprise.
Nick Selby, CEO of the Secure Ideas Response Team, said that if anyone had been thinking that government agencies have avoided a full-scale embrace of the cyber-weapons arena or held out hope that “We don’t do that kind of thing,” then this should settle the score once and for all.
That does not mean that the CIA – or any other government agency – is spying on ordinary American citizens. It is evidence, though, that it has worked hard to maintain a stockpile of cross-platform cyberweapons that make both targeted and mass surveillance possible, despite a range of advances in cryptographic communications tools in the hands of the public.
In the grand scheme of things, Selby said, this is something every government engages in, and the CIA would have been remiss in its duties had it not been engaged in these activities:
For anyone to suggest that there is something inherently shady or disagreeable about an intelligence agency developing tools with which it can conduct intelligence operations for the purpose of intelligence gathering is to misunderstand the purpose of intelligence agencies.
Cowperthwaite added:
Much of this has been suspected, or reported on, over the years. To a great extent, this is corroboration of things already leaked out to the public. And it likely doesn’t represent state of the art.
Is WikiLeaks helping or harming?
Of course, whenever WikiLeaks dumps a bunch of information this way, the question must be asked: is it helping us be a better society by making us more aware, or is it simply generating chaos?
Cowperthwaite is torn, and brings up the example of Chelsea Manning, a United States Army soldier convicted by court-martial in 2013 for violating the Espionage Act and other offenses, after giving WikiLeaks nearly three-quarters of a million classified and/or sensitive military and diplomatic documents.
There is good and bad in this. We know that some of the Manning leaks had impacts on military operations. That was part of Manning’s trial. I also found it interesting that Wikileaks alleges that the US Intelligence Community has a problem keeping its cyberwar tools off the black market. And if the CIA, NSA, etc. can’t keep these things under control, that is something that citizens should know.
The debate over the CIA’s capabilities and the pros and cons of WikiLeaks’ document dumps won’t be ending anytime soon. As those interviewed note, today’s release was just the first installment.
MossyRock
I’ve been following other articles on this development and have learned that Windows and Linux systems are also in the list of targets. Since this appears to have been deployed, why hasn’t this activity been discovered already by intrusion detection systems (IDS)? Institutions and corporations spend big bucks to protect their networks with IDS.
An internet connection is an internet connection, and a port is a port. When something connects that is unexpected or out of bounds, IDS should see it.
Mahhn
I suspect we’ll find that some Line Noise, is saying a little more than thought.
There are non-public network protocols.
Anonymous
Agreed.
Tom
Most of us who have made careers out of computer and Internet security have known or suspected all this [wikileaks report] was possible. As Robert Morris said, “The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it.” I was always amused in the ’90’s when posts on forums would say that the government was going to shutdown the internet, not with that much free intel available. Spies may just have to go back to using a Minox and passing the film to their contact by sticking it to the underside of a Hyde Park bench.
Mike
Chelsea Manning also leaked the ‘collateral murder’ video, which shows a US Apache helicopter killing a Reuters journalist, and then intentionally killing the adults and children who had arrived to transport the wounded.
Although this is a IT security blog, I would have thought this would be ‘something that citizens should know’ over and above the CIA’s inability to stop their staff flogging zero-day exploits on the blackmarket.
B
Whoa there, slow down Christian (not the blog proprietor). Where has it been demonstrated, by you or anyone else, that “[my] government has been spying on [me]”?
The CIA targets foreign actors, not US citizens. I’d actually be disappointed, for all the billions we devote to intelligence, if US intelligence agencies did not have IoT hacking ability. Instead what upsets me is the existence of so many government bureaucrats to leak classified information, arrogating to themselves, under a badge of self-righteousness, the power to divulge secrets that our democratically-elected representatives have determined should stay secret. Frankly anyone who thought that world governments did not have the capabilities disclosed by these leakers hasn’t been paying attention.
Fisht
If you believe that Ive got a bridge to sell you. The deep state is not our friends.
FreedomISaMYTH
look at some of the countries the exploits were sold/given to from the CIA/NSA and tell me this is still okay…
The government has to do some dirty work for our security but there are red lines they should not cross, ever… they didn’t just cross them, they went across the line, took a crap on the American people and then smothered it in our faces while saying it was for our own good. But you know it was for the good fo the country!!!!!
The CIA and FBI need a collar and leash attached to them with extreme accountability/transparency imposed… they have proven they can not be trusted by the taxpayers.
Matt Parkes
I agree and would re-iterate these leaks suggest that the intelligence agencies have the capability of spying on people anywhere but I would seriously suggest that just because they can spy anywhere does not mean they spy everywhere, the consequences and dangers of spying on a regular john doe who is not a person of interest in any circumstances is a waste of time and I would think is not done as this or any other article suggests. Yes there is potential but as for actual – we don’t know.
Chase
Thank you for providing opinions from both sides of the argument (for/against CIA). Personally I don’t believe this stuff to be anything groundbreaking and features a lot of people jumping to conclusions (i.e CIA looking into hacking cars must immediately mean they are using them for assassinations)
Mahhn
I’m sure this is a touchy subject for the vendors, but I need to ask.
Apparently “Sophos Virus Removal” along with other popular AV tools are on the list of CIA hacked/backdoor applications. Are these exploited versions OEM, or modified after leaving the developers?
If they are OEM, can you say if it was a operative working as a developer or an original developer that was coerced, or the company manipulated?
If after leaving/redistributed, is it from specific public sites (cnet.com, twocows) or from storage devices loaded up from their own resource centers?
https://www.bleepingcomputer.com/news/security/vault-7-cia-developed-24-decoy-applications-to-spy-on-targets/
Thank you
Bill Brenner
Paul Ducklin wrote a follow-up piece I believe addresses this quite well. If you still have questions after reading it, let us know and we’ll work on more clarity: https://blogs.sophos.com/2017/03/10/qa-wikileaks-the-cia-fine-dining-and-dll-hijacks/
deijdotcom
I still can’t believe what I’m reading in the past few hours. With respect and after more than 20 years in the business, any security expert that thinks the CIA or other teams or governments can magically hack pretty much anything, anywhere has little knowledge about the technologies discussed and in general. This is not magic, Lord of the rings or a Harry Potter book… please.
Dan
Why does anyone care about our military being compromised. Our military stopped intending
to win wars for America and Americans in the 1950s. It is now just a tool of the Deep State and work only for interests that do not have the well-being of the average American in mind,
that’s for sure.
John C.
Christian Renaud says our government is spying on us. Where did he get that information? Does the fact that they have the ability to spy on us (duh!) automatically mean they are doing it? It’s like saying anyone who owns a gun is a murderer. I’m not claiming domestic spying doesn’t happen, I’m just saying that Mr. Renaud is stating opinions based on nothing but his prejudice. The Wikileaks dump changes nothing: people who believed the CIA spies on its own countrymen still believe it, and those who didn’t still don’t,
Chase
The thing is is that domestic spying isnt anywhere close to the CIAs mission, there are other organizations that have that responsibility. To say that the CIA is engaging in domestic spying would be like saying that the Air Force has submarines.
Steve
What you say is true – in theory. But it’s possible that the Air Force *could* have submarines. After all, the Navy sure has a massive collection of aircraft! Of course, if the USAF was trying to acquire subs, we would probably hear about it. BUT they are not an organization dedicated to covert operations like the CIA. We really have no idea what the CIA is doing.
Chase
My point is is that the Air Force having submarines would make no sense because it goes against their fundamental mission. Navy has aircraft because it supports their mission of naval superiority. Why would an organization that is dedicated to gather foreign intelligence waste resources doing domestic surveillance when other organizations get funding specifically for that.
David Bracken
Does WikiLeaks ever publish compromising information on non-democratic countries such as Russia, China, North Korea, etc? Or some of the Mideast nations? It sure seems like they have a focused and targeted agenda. Are they trying to help or hurt?