This week WikiLeaks released thousands of pages of documents related to the CIA’s tools for hacking smartphones, computers, and other devices. But the anti-secrecy organization says the full “Vault 7” archive also contains more code and technical details which haven’t yet been released.
Now WikiLeaks founder Julian Assange says the organization will share details with tech companies so that the security vulnerabilities can be identified and fixed before WikiLeaks releases the rest of the information to the public.
WikiLeaks has a sort of spotty record with this sort of thing. The group has been known to release unredacted documents featuring phone numbers, credit card information, and other sensitive details in the past. But before releasing the initial “Year Zero” portion of the Vault 7 archive, WikiLeaks redacted much of that kind of information.
And by not releasing any actual code, WikiLeaks was able to make the public aware of some of the CIA’s hacking tools without making those same tools available to malicious hackers who might be able to use them.
There’s currently no evidence that the CIA was using these tools for any purpose other than to spy on suspected criminals. But by stockpiling security vulnerabilities that it could use to spy on people, the CIA knowingly left smartphones, computers, smart TVs, and other products open to attack by anyone else who discovered those same tools.
Some security experts have claimed that WikiLeaks may have overstated the importance of the Vault 7 release. Many of the pages in the archive appear to be support guides for common activities. And while a number of zero-day exploits were mentioned (allegedly unpatched security flaws), companies including Apple and Google have said that they’ve already patched many of the vulnerabilities mentioned in the documents.
Of course, the archive seems to have come from early 2016, so it wouldn’t include any hacking tools the CIA has developed since then.
Anyway, there are likely still a number of previously undisclosed security issues revealed by the documents, so it’s good to know that WikiLeaks plans to make them available to the affected companies before releasing them to the general public.
Still, if you’re using an old phone that doesn’t get software updates anymore, you might want to think about upgrading before WikiLeaks releases the rest of the Vault 7 archive.
One thing to bear in mind, though, before you throw your old phone in the trash, is that many of these vulnerabilities require some form of human intervention (i.e. social engineering) to get onto your device — e,g. downloading an app from an untrusted source that has been deliberately infected by a virus. If you rarely, if ever, install new apps on your old phone (which is often the case), then the odds of you ever being affected are very small.
Even the most infamous hack of 2016 (Stagefright) wasn’t an easy one to pull off.
Comments are closed.