Yesterday WikiLeaks released the first part of its “Vault 7” archive with thousands of pages and files that allegedly reveal some of the tools the US Central Intelligence Agency uses to hack phones, computers, and even TVs. Security experts, privacy advocates, and some of the companies whose products are affected are starting to weigh in.
So how worried should you be that the CIA can hack your stuff? I’m going to go with “moderately.”
Look, you probably already knew that the CIA, NSA, and other spy agencies had tools for hacking into computers and phones of suspected terrorists.
My bigger concern is what these documents tell us about the security and privacy of those who either aren’t targets of investigations at all, or who may be under investigation for erroneous reasons.
The CIA is stockpiling security vulnerabilities and sometimes even paying for them. Since the agency is not disclosing these security flaws to companies like Google, Apple, Samsung, or Microsoft, it means that users are not only subject to CIA hacking, but hacking from anyone else who is aware of those vulnerabilities.
So in the interest of national security, the CIA (and probably other government agencies) are ensuring that your devices are less secure than they could be.
So what does that mean?
Many of the CIA hacking tools discussed in the leak involves smartphones, and many of those are focused on Android, which makes sense. It’s the world’s most used smartphone operating system, and phones are tiny GPS tracking devices that we carry everywhere we go. They’re also listening devices that keep a record of our communications, web browsing, and more.
The good news for Android users worried about privacy is that many of the vulnerabilities mentioned seem to address older versions of Android. The less good is that this doesn’t necessarily mean the CIA can’t hack newer versions of the operating system: Vault 7 might just contain out-of-date information and lack details about newer tools the CIA is using.
Update: Google says many of the exploits revealed by Vault 7 have already been fixed.
Verdict: If you’ve got a phone running newer version of Android, it’s probably safer from some forms of attack than one stuck on Android 4.0. But it’s not really clear at this point how much safer.
Have an iPhone?
Most of the things I said above apply to iOS. But Apple has taken the step of releasing a statement saying that the company’s “initial analysis indicates that many of the issues leaked… were already patched in the latest iOS.”
Again, while that means that some of the information in Vault 7 is out of date, we don’t know what we don’t know about newer tools used by the CIA yet.
Since the Vault 7 documents also lack actual code, it could be difficult for companies like Apple and Google to use the leaked data to try to identify and patch security vulnerabilities, although both companies will undoubtedly be doing their best to do so.
Verdict: See above… but since Apple has a much better mechanism for pushing software updates to users than Google, the vast majority of iPhone and iPad users are running the latest version.
Using WhatsApp, Signal, Telegram, or other “secure” communication apps?
While some initial headlines made it sound like the CIA has cracked the encryption used by these apps, that’s not exactly true. The encryption still works to keep your messages private.
But if your phone is hacked, then the CIA can bypass the encryption in order to monitor your communications.
The distinction might sound academic: the apps are safe, but only if you’re phone isn’t already compromised. But this means that efforts to tighten security need to focus on the operating systems, not the apps or Signal communication protocol.
Verdict: If you want to use a private messaging app, go ahead and keep using one featuring the Signal protocol. It might not protect you if you (or the person you’re communicating with) has a compromised device. But it’s safer than not using encrypted communications.
Have a Samsung Smart TV?
Some models are subject to the “Weeping Angel” exploit, which allows the CIA to turn on the mic on a TV and use it as a listening device, even when the TV display is turned off.
Sounds scary, and it kind of is.
But it’s also limited in scope. If you don’t have a TV with a mic (for voice commands), then you’re probably not affected. And more importantly, this isn’t a remote exploit, which means it can’t be delivered over the internet.
Someone actually needs physical access to your TV to install the software.
Verdict: Personally I’m a fan of buying a dumb TV and connecting it to the third-party “smart TV” box of your choice anyway. But if you’re paranoid, you can just focus on buying a TV with no mic… or unplug your TV when you’re not using it.
What about Windows, Mac, and Linux computers?
There’s much less talk of the CIA’s techniques for hacking desktop operating systems, but there are a few mentions of vulnerabilities that can bypass antivirus software on Windows or attack the BIOS on Macs.
The good news is that there may be just enough information to allow antivirus software companies to start detecting (at least some) CIA intrusion.
Verdict:¯\_(ツ)_/¯ I mean, you could do the usual things and keep your antivirus software up do date, practice safe browsing, and maybe put tape or another shield over your camera when it’s not in use. But we don’t actually know very much about these particular vulnerabilities.
It looks like WikiLeaks may have overhyped the contents of the Vault 7 release, but the biggest revelation might not be about the specific hacking tools at the spy agency’s disposal (or the level of classification on the leaked documents).
It might be that the agency is more interested in stockpiling vulnerabilities for its own use than in disclosing them so that they can be patched. And as the EFF notes, that puts citizens at risk rather than protecting them.
Of course, it’s not particularly surprising to know that this has been going on. But it’ll be interesting to see if there’s any call to change course now that the information is public… or if the government will instead focus on hunting down the leakers rather than dealing with the contents of the leaks.