WikiLeaks’ CIA ‘Vault7’ dump could put consumers at risk
WikiLeaks’ Tuesday release of thousands of confidential Central Intelligence Agency documents, many of which highlight previously unreleased security flaws in hardware and software, or zero-day vulnerabilities, may have put consumers at risk.
“They just dumped these vulnerabilities into public view without trying to contact vendors,” says Herb Lin, a computer security policy expert and research fellow at Stanford University’s Center for International Security and Cooperation. “It’s had the effect of increasing the amount of cyberinsecurity in the world, not decreasing it.”
While WikiLeaks claims to have released the documents in order to improve cybersecurity by helping U.S. citizens and the rest of the world understand how the CIA is spying on them, the publication of the file tranche may have the opposite effect. The public publishing of a variety of zero-day vulnerabilities makes them available to a wider range of hackers.
WikiLeaks’ press release announcing the tranche of 8,761 documents and files, which it calls “Vault7,” claims that they reveal hacking techniques used for spying by the CIA from 2013 to 2016. These alleged internal CIA programs include Weeping Angel, for spying on Samsung smart TVs; Wrecking Crew, for crashing a computer’s operating system; Fine Dining, which allows CIA operatives to order custom hacking tools from the agency’s support division; and Umbrage.
What Umbrage does is questionable. WikiLeaks says Umbrage borrows the hacking techniques of other countries to mislead investigators as to the actual source of a particular cyberattack, through so-called “false flag” operations—no trivial matter, as government attributions of cyberattacks are notoriously difficult to prove.
Experts say WikiLeaks’ claims are not supported by the evidence thus far, though WikiLeaks is promising to release more documents related to the CIA. Umbrage actually cultivates a library of hacking techniques for the CIA to use and reuse, a less serious accusation.
Robert Graham, CEO of Errata Security, told The Intercept that Umbrage is more about saving time than drawing attention to Russia—or any other country—for something it didn’t do. “What we can conclusively say from the evidence in the documents is that they’re creating snippets of code for use in other projects, and they’re reusing methods in code that they find on the Internet,” he said.
Included in the Umbrage documents are some details, though not the full source code, of multiple zero-days across a range of software and hardware. Implicated technology includes Apple iPhones and Mac OS X, Google Android phones, Microsoft Windows, Linux computers, Samsung Smart TVs, Google Chrome, antivirus software, and various storage devices, routers, switches, and Internet Protocol telephones.
The CIA said in a statement on Wednesday that Americans “should be deeply troubled” by WikiLeaks’ actions. “Such disclosures not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm,” the spy agency said.
Many of the affected vendors The Parallax contacted downplayed potential risks that their customers face. Google’s Heather Adkins, director of information security and privacy, said in a statement that “security updates and protections in both Chrome and Android already shield users from many of these alleged vulnerabilities.”
Microsoft says the vulnerability information pertaining to its products appears to target “older systems,” largely patched. “We take security issues very seriously and are continuing a deeper analysis to determine if additional steps are necessary to further protect our customers,” a company representative said in a statement.
Samsung said it is “looking into” the situation. The Linux Foundation, which guides development of the open-source operating system, noted that Linux fixes security flaws in its software “rapidly” but did not directly address the leaked documents.
In a statement, Apple said, “While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities.”
While WikiLeaks says in its press release that some of the exposed Windows, Mac, iPhone, and Android operating-system vulnerabilities could let the CIA spy on a device’s camera or microphone, encrypted-messaging apps such as Signal have not been hacked by the CIA. Signal founder Moxie Marlinspike said in a statement that “none of the exploits” revealed by WikiLeaks “break” his Signal Protocol encryption, used in messaging apps made by WhatsApp, Facebook, Signal itself, and others.
“Ubiquitous end-to-end encryption is pushing intelligence agencies like the CIA from a world of undetectable mass surveillance to a world where they have to very selectively use high-risk, expensive, targeted attacks,” the company said.
WikiLeaks founder Julian Assange, for his part, appeared to acknowledge that the document dump has put consumers at risk. He said on Thursday during a live-stream press conference from the Ecuadorian Embassy in London, where he has lived since 2012, that WikiLeaks has “decided to work with” the manufacturers of the affected software “to give them some exclusive access to the additional technical details that we have so that fixes can be developed and pushed out, so that people can be secure.”
Days after the documents were made public, the scope of the risk that consumers face is not yet clear. Robert Hansen, CEO of intelligence and analysis firm OutsideIntel, calls the scope of the exploits “vast.”
“In terms of technical sophistication, this is very advanced, and it appears to be slightly old, which means they are no doubt far further in their capabilities,” he says. “This has a temporary deleterious effect, as the knowledge of the vulnerabilities causes attackers to research in areas they may not have originally looked.”
Over the long term, Hansen says, global cybersecurity will increase “as patches are made available. However, if you believe the CIA’s operations help to protect the worldwide geopolitical landscape, [the WikiLeaks document dump] “is unlikely to help [its] mission.”
Lin says other countries now have a leg up on the cybersecurity tools the CIA uses to complete its mandate of spying on other countries.
The leaks, he says, reveal “sensitive tools” and make “those tools useless in the future. But then, I think the U.S. being able to spy on foreigners is good, not bad. And I don’t think we should apologize because we’re better at it.”
Errata’s Graham cautions against consumer fears over device insecurity, despite the potential hacking that could occur. He tells The Parallax that most of the vulnerabilities highlighted in the WikiLeaks document dump shouldn’t cause consumers to be concerned because, as the affected vendors assert, many of the exploits have already been fixed.
“I find little in the CIA dump that’s really of concern to consumers,” he says.