Spies do spying, part 97: Shock horror as CIA turn phones, TVs, computers into surveillance bugs
Nothing to fear, citizens. Keep consuming. Keep smiling
WikiLeaks has dumped online what appears to be a trove of CIA documents outlining the American murder-snoops' ability to spy on people.
The leaked files describe security exploits used to compromise vulnerable Android handhelds, Apple iPhones, Samsung TVs, Windows PCs, Macs, and other devices, to read messages, listen in via built-in microphones, and so on. The dossiers discuss malware that can infect CD and DVD disc file systems, and USB sticks, to jump air-gaps and compromise sensitive and protected machines – plus loads more spying techniques and tools.
The tranche of CIA documents – a mammoth 8,761 files dubbed "Year Zero" – accounts for "the entire hacking capacity of the CIA," WikiLeaker-in-chief Julian Assange boasted today. He said the documents show the intelligence agency had lost "control of its arsenal" of exploits and hacking tools, suggesting they were passed to the website by a rogue operative.
"'Year Zero' introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal, and dozens of 'zero day' weaponized exploits against a wide range of US and European company products, [including] Apple's iPhone, Google's Android, Microsoft's Windows and even Samsung's TVs, which are turned into covert microphones," the WikiLeaks team said in a statement.
"The archive appears to have been circulated among former US government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive," it added.
We're still poring over the files. So far, from what we can tell, these "zero days" are said to affect older versions of Android and iOS. Compromising a smart TV requires jabbing a USB stick into it. In any case, WikiLeaks wants to spur public debate over the CIA's capabilities:
By the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI), had over 5,000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other 'weaponized' malware. Such is the scale of the CIA's undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its 'own NSA' with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.
When NSA techie Edward Snowden leaked documents from his agency, he got journalists to screen and, where necessary, redact portions of his vast PowerPoint slide dump. For today's Vault 7 leaks, WikiLeaks said it had done this work itself:
WikiLeaks has carefully reviewed the 'Year Zero' disclosure and published substantive CIA documentation while avoiding the distribution of 'armed' cyberweapons until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should be analyzed, disarmed and published.
WikiLeaks has also decided to redact and anonymize some identifying information in 'Year Zero' for in-depth analysis. These redactions include tens of thousands of CIA targets and attack machines throughout Latin America, Europe and the United States.
One silver lining is that this leak demonstrates it is so difficult to crack today's end-to-end encryption apps, such as Signal and WhatsApp, that spies have to drill into the underlying devices and computers to snoop on people. That's a lot of effort, cost, and risk, compared to eavesdropping on communications on the wire, which strong end-to-end cryptography comfortably thwarts. Agents are therefore forced to carry out targeted snooping on individuals' devices, rather than carry out mass blanket surveillance.
Year Zero is the first part of a larger release of information codenamed "Vault 7" by WikiLeaks, and is touted as the largest-ever publication of confidential documents on the intelligence agency. ®
Sponsored: Becoming a Pragmatic Security Leader