WikiLeaks Just Dumped a Mega-Trove of CIA Hacking Secrets
Credit to Author: Lily Hay Newman| Date: Tue, 07 Mar 2017 16:40:49 +0000
On Tuesday morning, Wikileaks published a data trove that appears to contain extensive documentation of secret Central Intelligence Agency spying operations and hacking tools. Codenamed “Vault 7,” the file contains 8,761 documents, and Wikileaks claims that it represents “the majority of [the CIA] hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation.”
Initial expert reactions are that the data seems legitimate, and will create deep problems for the CIA on many fronts. The leak has the potential both to undermine the organization’s ability to carry out offensive intelligence gathering, and to damage its international public perception. The leak exposes CIA capabilities and tools like unpatched iOS and Android vulnerabilities, strategies for compromising end-to-end encrypted chats (though not undermining the encryption itself), bugs in Windows, and even ability to turn Samsung smart TVs into listening devices.
“From what I can tell, this seems to be legitimate,” says David Kennedy, CEO of TrustedSec, who formerly worked at the NSA and with the Marine Corps’ signals intelligence unit. “It shows expansive capabilities of the CIA and divulges NSA tools as well. But a lot of it seems to be missing, as far as direct codebase used for these.” Wikileaks says it redacted much of that more specific information.
Those redactions, in part, make it difficult to ascertain just how comprehensive the leaked information is. in spite of Wikileaks’ claims, it is only a small fraction of the CIA’s total arsenal. WikiLeaks itself has said it will release additional CIA data dumps in the future.
“I don’t think that this is everything. It likely represents a very limited view of the overall network exploitation program,” says Jake Williams, founder of the threat intelligence firm Rendition Infosec. The Wikileaks dump includes no mention of iOS 10, for instance, an operating system that has been on the market for months. “But there’s a lot here and it’s likely going to be very damaging to US international relations.”
Given the polarized political climate in the US, and President Donald Trump’s recent feuds with the intelligence community, the leak highlights a tension between the importance of checking intelligence overreach, and the need to maintain US defense and intelligence-gathering capabilities abroad. It also keeps WikiLeaks once again at the center of a potential firestorm—one that will likely disrupt the CIA’s operations.
“Who knows how it got leaked,” says Kennedy. “But honestly if I were a foreign nation and published this, I would think that this could completely reduce our capabilities abroad.”
Disclosing software vulnerability spy tools hinders intelligence organizations because it gives manufacturers the opportunity to patch their code, and close the backdoors that allowed spies access. Protecting users necessitates that process, as does the reality that intelligence groups can’t ensure that some malicious actor isn’t also using an active exploit. If the CIA can get into a device, so can a black hat hacker.
During the Obama administration, the White House worked to create the Vulnerabilities Equities Process, which attempted to create a framework the intelligence community could use to motivate disclosure of as many vulnerabilities as possible, while still allowing agencies to retain some undisclosed zero-day vulnerabilities when they concluded it was in the public interest. The CIA leak appears to validate criticism that the process lacks transparency, and doesn’t achieve its goals.
“We were [estimating] the total arsenal of zero days was in the dozens and that was for everyone, including NSA,” says Jason Healey, a cyber conflict researcher at Columbia University. “So if you find dozens in here alone, then that means we only guessed part of the total.”