In the first part of a Vault 7 leak series, the anonymous publishers of secret information at WikiLeaks have released documents containing information acquired by the CIA through the hacking of IoT devices.
A total of 8,761 documents were leaked from an isolated, high-security network inside the Central Intelligence Agency’s Center for Cyber Intelligence in Langley, Viriginia.
WikiLeaks calls the leak “Year Zero” in a nod to the zero days computer software vulnerability and claims this is the largest ever publication of confidential documents on the agency.
Supposedly it ‘introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of ‘zero day’ weaponized exploits against a wide range of US and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.
This role reversal is likely to be highly embarrassing for the government agency which is tasked with accessing secrets, not leaking its own.
Leaks from a team of hackers
According to a WikiLeaks statement, the CIA’s hacking division – the Center for Cyber Intelligence – had over 5,000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other ‘weaponized’ malware.
Supposedly, these hackers used more code “than that used to run Facebook” between 2013 and 2016. WikiLeaks accuses the CIA of creating, “in effect, its ‘own NSA’, with even less accountability.”
Included in the details are documents relating to a surveillance technique know as ‘Weeping Angel’. This was supposedly used by the CIA and the UK’s MI5 intelligence organization to infest smart Samsung TVs, turning them into covert microphones.
Additionally, the statement said that the CIA also runs a “very substantial effort to infect and control Microsoft Windows users with its malware.”
Samsung and Microsoft have both said they are looking into the situation.
Citing fears that a cyber ‘weapon’ could be used by rival states and hackers, WikiLeaks editor Julian Assange stated that “There is an extreme proliferation risk in the development of cyber ‘weapons’. Comparisons can be drawn between the uncontrolled proliferation of such ‘weapons’, which results from the inability to contain them combined with their high market value, and the global arms trade. But the significance of “Year Zero” goes well beyond the choice between cyberwar and cyberpeace. The disclosure is also exceptional from a political, legal and forensic perspective.”
Read more: Businesses need more focus on smart device security, says Samsung
Commitments breached, powers exceeded
WikiLeaks claims its source believes this issue raises serious policy questions that need to be debated in public.
Not least among these will be the accusation that the CIA breached former President Barack Obama’s administration commitment to disclose all serious vulnerabilities, exploit, bugs or zero days to technology companies and US-manufacturers.
For example, specific CIA malware revealed in ‘Year Zero’ is able to penetrate, infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts. However, the CIA has kept these vulnerabilities concealed meaning the phones remain hackable.
Google has declined to comment on the allegations, according to the BBC, but in a more detail statement, Apple said “While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities.”
The company urges customers to download the latest iOS and ensure they have the most recent security update.
Read more: Security researchers find backdoor in Chinese IoT devices
“Hardly surprising”
Sharing his reaction to the leaks in emailed comments to journalists, Lee Munson, security researcher at cyber-security advice company Comparitech.com, said: “Wikileaks’ disclosure of what it claims are wide-ranging CIA hacking tools is hardly likely to surprise anyone in the post-Snowden world we now live in.
Munson suggested that whether cyber weapons exist is immaterial and that citizens should be no more concerned about surveillance today than they were yesterday.
“While exploits across a range of devices and the ability to turn on cameras and microphones is a touch chilling, they’re nothing new, and anyone with real concerns should already be going about their business with those possibilities in mind,” Munson said.
“The really interesting aspect to this leak, however, is how the alleged cyber-spying tools all appear to have one thing in common – the need to acquire information over the wire.
“That means, for now at least, we can assume that messaging systems with strong end-to-end encryption are beyond the reaches of the security services; a win for everyone who is truly concerned about protecting their privacy today.”
Ian Hughes, an IoT analyst at research company 451 Research, told Internet of Business that, “in the security industry, many people already do not trust their devices, covering cameras, disconnecting cameras in TVs.”
Hughes does believe, however, that in making this public, WikiLeaks will make people more aware of the need for stronger personal security.
Read more: IoT teddy bears leak more than 2 million recordings between parents and kids