WikiLeaks has released thousands of documents that appear to show how the US Central Intelligence Agency (CIA) is able to spy on smartphones, computers and other internet-connected devices. They apparently have the ability to break into any Android and iPhone smartphone, as well as devices running Windows, Mac OS or Linux operating systems. Though the leak doesn’t tell us how widely these techniques are used, it does highlight just how vulnerable the technology on which we increasingly rely is to security breaches.
How can the CIA hack these devices?
The leaked documents suggest the CIA has a catalogue of “zero-day” vulnerabilities. A software vulnerability is typically a flaw in a program that a hacker can use to undermine the security of a system and break in to control it or steal its data. Usually, vulnerabilities are reported to vendors so they can produce a software patch that will fix the flaw and to eliminate or reduce the chances of a successful attack. Those flaws that the software manufacturer doesn’t know about are called zero-day vulnerabilities (referring to the number of days the manufacturer has known about the problem).
By exploiting these zero-day vulnerabilities, the CIA could theoretically undermine the controls of computer operating systems and smartphones. This would allow it to bypass, for example, the security of many messaging apps that are considered secure, such as WhatsApp, Telegram or Signal. It doesn’t show that these apps have had their strong encryption methods broken – instead the messages can be read directly from the operating system before being encrypted.
What can the CIA do with these techniques?
The leaked documents also detail a highly technical catalogue of hacking tools, such as instructions for compromising Skype, Wi-Fi networks, PDF documents and commercial anti-virus programs. There are also instructions on how to steal passwords, such as those inputted into internet browsers. For example, a technique called “QuarkMatter” can insert stealthy spying software on an Apple computer by hiding it in the EFI system partition, the part of the hard drive where the startup files are kept.
The documents also report that the CIA might be able to listen to conversations heard by the microphones in smart TVs even when the TVs appear to be switched off. But that doesn’t mean the CIA can exploit anyone’s smart TV. The program, called “Weeping Angel”, was designed specifically for the Samsung F8000 TV. And it is entirely possible that the CIA created this technique (and others like it) just to target specific individuals. It also seems that the program can only be loaded onto a television via a software update from a USB device. So someone would have to enter your house and access your TV to be able to hack it.
But we should also note that other “Internet of Things” connected devices could be used for similar purposes, such as the Amazon Echo home assistant. The CIA has, it is claimed, even explored ways of remotely controlling and hacking into cars in order to crash them, creating a “nearly undetectable assassination”.
How serious is the issue?
Many commenters have noted that some of the vulnerabilities that are shown in the catalogue are old and some of them have already been patched up. For example, the Samsung TV hack is not possible anymore in recent devices with updated firmware. But that doesn’t mean that the CIA (or any other intelligence agency) hasn’t updated its arsenal to exploit newer vulnerabilities.
The document suggests the CIA is willing to exploit public technology for spying and put it at further risk of hacking. If manufacturers don’t know about vulnerabilities then they can’t fix them and so they are also available for malicious hackers or other governments to exploit as well.
The US government has established the Vulnerabilities Equities Process (VEP) as a way of helping its agencies deciding whether or not to disclose or not a vulnerability. If the CIA is stockpiling a catalogue of vulnerabilities it discovers, as other agencies have previously denied doing, then it may be ignoring this protocol. There are exceptions, such as if the exploit has “a clear national security or law enforcement need”. But as we don’t know how the vulnerabilities have been exploited, it isn’t clear if they fall into this category.
It’s also not clear what other hacking activities the CIA may be undertaking. The leak includes 8,761 documents and files, many of which haven’t yet been analysed, and there are likely more documents to come. Some documents have been redacted by WikiLeaks editors to avoid disclosing the actual programming code for the attacks, to make it difficult to copy them.
Finally, it appears that the entire archive of disclosed CIA toolkit consists of several hundred million lines of code (by comparison, Windows 7 is composed of 25m lines of code). So it might take some time to fully understand the extent of their hacking capabilities.
Daniele Sgandurra does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond the academic appointment above.