WikiLeaks has released a second set of documents from its so-called “Vault 7” set of information that allegedly details the tools the CIA uses to hack phones, computers, and other devices.
The second release is called “Dark Matter,” and according to WikiLeaks, it showcases some of the tools the CIA has used to hack the firmware of Apple smartphones and computers.
By injecting code into the firmware, Apple could allegedly infect a device in a way that makes it difficult to remove spyware even if you reinstall the operating system.
The good news is that hackers need physical access to a device to do this. The bad news is that this doesn’t necessarily mean the CIA has to sneak into your house and grab your phone.
WikiLeaks posits that “it is likely that many CIA physically access attacks have infected the targeted organization’s supply chain.”
In other words, government spies could try to infect a phone before you even receive it. You place an order, a government spy intercepts the order in transit, opens the box, installs the malware, and then repackages it and sends it on its way.
Is this something you should be worried about? Maybe, maybe not. The CIA is supposed to spy on people… although there should be systems in place to make sure these sorts of activities are only conducted against targets where there is reasonable suspicion.
So far I haven’t seen any evidence fro the Vault 7 documents suggesting that the CIA was breaking any US laws by using its hacking tools. But there is at least one thing worrying about the security vulnerabilities the CIA has to exploit in order to hack devices including iPhones and Macs: the documents allege that the CIA is aware of those security vulnerabilities, but withholds the information from Apple and other companies whose products are affected.
If the CIA can figure out how to hack into your phone using those exploits, then there’s a chance someone else could as well.
WikiLeaks has previously said that it will work with tech companies to identify and patch the vulnerabilities revealed by the Vault 7 documents. But the Vault 7 files and documents are already a bit old and it’s likely that the CIA and other government agencies already have a number of stockpiled exploits that are not mentioned in these documents.