Yesterday WikiLeaks released the first part of its “Vault 7” archive with thousands of pages and files that allegedly reveal some of the tools the US Central Intelligence Agency uses to hack phones, computers, and even TVs. Security experts, privacy advocates, and some of the companies whose products are affected are starting to weigh in.

So how worried should you be that the CIA can hack your stuff? I’m going to go with “moderately.”

Look, you probably already knew that the CIA, NSA, and other spy agencies had tools for hacking into computers and phones of suspected terrorists.

My bigger concern is what these documents tell us about the security and privacy of those who either aren’t targets of investigations at all, or who may be under investigation for erroneous reasons.

The CIA is stockpiling security vulnerabilities and sometimes even paying for them. Since the agency is not disclosing these security flaws to companies like Google, Apple, Samsung, or Microsoft, it means that users are not only subject to CIA hacking, but hacking from anyone else who is aware of those vulnerabilities.

So in the interest of national security, the CIA (and probably other government agencies) are ensuring that your devices are less secure than they could be.

So what does that mean?

Using Android?

Many of the CIA hacking tools discussed in the leak involves smartphones, and many of those are focused on Android, which makes sense. It’s the world’s most used smartphone operating system, and phones are tiny GPS tracking devices that we carry everywhere we go. They’re also listening devices that keep a record of our communications, web browsing, and more.

The good news for Android users worried about privacy is that many of the vulnerabilities mentioned seem to address older versions of Android. The less good is that this doesn’t necessarily mean the CIA can’t hack newer versions of the operating system: Vault 7 might just contain out-of-date information and lack details about newer tools the CIA is using.

Update: Google says many of the exploits revealed by Vault 7 have already been fixed.

Verdict: If you’ve got a phone running newer version of Android, it’s probably safer from some forms of attack than one stuck on Android 4.0. But it’s not really clear at this point how much safer. 

Have an iPhone?

Most of the things I said above apply to iOS. But Apple has taken the step of releasing a statement saying that the company’s “initial analysis indicates that many of the issues leaked… were already patched in the latest iOS.”

Again, while that means that some of the information in Vault 7 is out of date, we don’t know what we don’t know about newer tools used by the CIA yet.

Since the Vault 7 documents also lack actual code, it could be difficult for companies like Apple and Google to use the leaked data to try to identify and patch security vulnerabilities, although both companies will undoubtedly be doing their best to do so.

Verdict: See above… but since Apple has a much better mechanism for pushing software updates to users than Google, the vast majority of iPhone and iPad users are running the latest version. 

Using WhatsApp, Signal, Telegram, or other “secure” communication apps?

While some initial headlines made it sound like the CIA has cracked the encryption used by these apps, that’s not exactly true. The encryption still works to keep your messages private.

But if your phone is hacked, then the CIA can bypass the encryption in order to monitor your communications.

The distinction might sound academic: the apps are safe, but only if you’re phone isn’t already compromised. But this means that efforts to tighten security need to focus on the operating systems, not the apps or Signal communication protocol.

Verdict: If you want to use a private messaging app, go ahead and keep using one featuring the Signal protocol. It might not protect you if you (or the person you’re communicating with) has a compromised device. But it’s safer than not using encrypted communications.

Have a Samsung Smart TV?

Some models are subject to the “Weeping Angel” exploit, which allows the CIA to turn on the mic on a TV and use it as a listening device, even when the TV display is turned off.

Sounds scary, and it kind of is.

But it’s also limited in scope. If you don’t have a TV with a mic (for voice commands), then you’re probably not affected. And more importantly, this isn’t a remote exploit, which means it can’t be delivered over the internet.

Someone actually needs physical access to your TV to install the software.

Verdict: Personally I’m a fan of buying a dumb TV and connecting it to the third-party “smart TV” box of your choice anyway. But if you’re paranoid, you can just focus on buying a TV with no mic… or unplug your TV when you’re not using it. 

What about Windows, Mac, and Linux computers?

There’s much less talk of the CIA’s techniques for hacking desktop operating systems, but there are a few mentions of vulnerabilities that can bypass antivirus software on Windows or attack the BIOS on Macs.

The good news is that there may be just enough information to allow antivirus software companies to start detecting (at least some) CIA intrusion.

Verdict:¯\_(ツ)_/¯ I mean, you could do the usual things and keep your antivirus software up do date, practice safe browsing, and maybe put tape or another shield over your camera when it’s not in use. But we don’t actually know very much about these particular vulnerabilities. 

Conclusion

It looks like WikiLeaks may have overhyped the contents of the Vault 7 release, but the biggest revelation might not be about the specific hacking tools at the spy agency’s disposal (or the level of classification on the leaked documents).

It might be that the agency is more interested in stockpiling vulnerabilities for its own use than in disclosing them so that they can be patched. And as the EFF notes, that puts citizens at risk rather than protecting them.

 

Of course, it’s not particularly surprising to know that this has been going on. But it’ll be interesting to see if there’s any call to change course now that the information is public… or if the government will instead focus on hunting down the leakers rather than dealing with the contents of the leaks.

 

Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign

or...

Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.

Subscribe to Liliputing via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 9,502 other subscribers

20 replies on “How worried should you be about CIA hacking tools revealed by WikiLeaks?”

  1. I use a Windows Phone and it seems like those CIA documents don’t mention anything about Windows Phone. I guess that means Windows Phone must be the most secure smartphone OS ever lol

  2. One of the good thing about those leaks is that companies have started to provide fixes, so products will become a bit more secure now.

    1. So what’s new? Jones is a loon who has never met a conspiracy theory he didn’t believe. Even if he is right this time, it means squat. This is a man who spouts 100+ lies and distortions every hour he’s on the air, and even when he’s hopelessly wrong (remember Jade Helm, Y2K, Ebola, Bird Flu, Sandy Hook, Obama’s third term, etc. etc?) he still finds ways to claim he was right about everything.

      The man is a cancer on American society. I used to think he was a harmless crank, but now he has the ear of the most powerful leader in the world, he’s not a joke anymore. I don’t say this often, but he’s an example of someone whose very presence in the public sphere is a net negative to American society. We’d be much better off without him.

  4. The only thing about this that actually worries me – if it is factual and accurate – is how WikiLeaks came to have the information and why it was given to them and why now.

    1. Why is that the only thing? The government has a track record of spying on its citizens for dubious reasons, but beyond that, with this leak, the general public, including malicious entities, now has access to some interesting tools and methods to break into vulnerable systems. Tin foil and hyperbole firmly aside, how is that not the slightest bit worrisome?

  5. It is all academic until it happens to you. I have software on my phone that alerts me when components are activated (Bluetooth, wifi, camera, microphone, etc.). Never really thought it would amount to anything until one night I was watching TV with my girlfriend and the notification alarm goes off telling me the microphone on my cell phone had just been activated. I wasn’t even touching my phone. It was on the coffee table. My Samsung “smart” TV does not have access to the internet and never will.

  6. Bottom line: “Our” government is doing nothing to protect it’s citizens. In fact, their behavior is clearly anti-American.

    There was a time when the government issued a warning not to use Internet Explorer (it happened a couple of times, if I recall), for example. Nowadays, it’s about purposely and with malice aforethought withholding this information from the American public.

    This philosophical shift borders on a kind of treason. We pay our government to protect us. If this behavior came from an outside malicious source, it’s perfectly understandable. We’re dealing an enemy.

    I’m still waiting for bans on the massive number of IoT products with known backdoors, waiting for legislation limiting the kinds of spyware built into our Operating Systems by companies with ZERO accountability, waiting for sanctions of 3rd-parties tracking users across the internet. There has been nothing from our government related to none of this either.

    Lots of users have gotten used to this as “business as usual”. Most aren’t aware of just how bad things are across the board – in all aspects of our lives. Some of us see this as criminal activity. I’m in the last camp. The Internet and other connected devices IS Real Life. It isn’t some pseudo, virtual world we live in.

    No amount of mental gymnastic changes the fact that the entire tech industry, including this latest news (something that didn’t surprise me at all), have weaponized their technology against us all.

    1. “In fact, their behavior is clearly anti-American.”

      You are assuming the entire government operates as one monolithic bloc with a single intent, which is clearly BS. There will always be some bad actors, but much of the bad behavior stems from making bad decision in spite of good intentions. The security agencies are tasked with keeping Americans safe, and sometimes, they believe they can do their job more effectively by taking short cuts and bypassing all the legal red tape put in place to prevent bad behavior. It’s a serious problem, sure, but your paranoid talk of “treason” and “weaponized” technology does nothing to inform the debate — it just spreads the paranoia, and will likely lead to more bad behavior down the road.

      1. True enough, and I think it’s the right attitude to have in general. Still, it’s dangerous to get comfortable with this state of affairs. It’s nowhere near as bad as many say, but where do you draw the line? I imagine if you were one of the many significant others spied upon by NSA techs with too much access, you might say it’s far past the point for stricter control and scrutiny.

        1. It’s a thorny issue, for sure, and for those relatively few individuals caught in the crosshairs, the consequences can be devastating, particularly since the US criminal justice system is almost impossible to fight without highly paid lawyers (this, I believe, is a far bigger problem than NSA or CIA spying).

          There should always be strict scrutiny of those who hold such power to devastate, but of course, it’s not easy, especially when the programs are naturally covert. But it is important to maintain perspective. Despite the protestations of the conspiracy theorists, we are still a long way from the terrors of the Soviet surveillance state where even a casual conversation with your neighbor could land you in the Gulag.

  7. There was a time when I didn’t care too much for what the CIA and NSA was or wasn’t spying on, even if it was me because I believed it was in the best interest of this great nation. For the most part, I figure what they do they do to protect the country and it’s law abiding citizens. Their targets aren’t you know, the Phillips down the road who live a typical life, Dad the programmer, Mom the insurance agent and little Tommy and Tulip.

    Now however, everytime I hear news like this I get a little worried. Never in a thousand years would I think this awesome country would put someone in power who I honestly thought would very easily abuse it, yet here I am witnessing history.

    The folks on his pooplist probably need to watch out. We all know how vindictive and petty he can potentially be. I’m assuming that it doesn’t take much, if he wanted to get detailed info on so and so to put in an order to do so. That is worrisome.

    1. The contents of Vault7 were captured under Presidents Bush and Obama, who directed and continued programs to spy on Americans. Ask Eric Holder, held in contempt for lying to Congress about spying on citizens in America. We would never have known but for Wikileaks and Edward Snowden.

    2. Being spied upon is one of the few things I’m not too worried about concerning Trump at the moment, but then, I’m not Hispanic. Fortunately for a president to do something so blatantly unconstitutional as bypass all the legal and legislative controls requires the cooperation of a very large number of people without any whistleblowers finding out, and as worrying as some of his ultra-nationalist advisors are, I don’t think we’re close to being there yet.

      Clearly, though, if you’re digging into this stuff, either from a political or security angle, it would certainly pay to take precautions, but I would say the same thing to any investigative journalist who is attempting to shine light in the darker regions of political and corporate America.

      But, after hackers who are just looking to steal your stuff, the biggest danger to most Americans isn’t the NSA or rogue FBI agents, it’s actually local law enforcement, in cahoots with local and state judges who will far too often grant search warrants for their buddies in the police force, even when the targets have done nothing wrong other than piss off the wrong person — like the local police chief, or some well connected local official or businessman. Those warrants are used for fishing expeditions and to intimidate.

  8. If any of these tools and abilities has taken anyone by surprise, then perhaps tech isn’t for them. Or going outside for that matter.

    Spying agencies.. you know.. spy.
    Things containing data.. you know.. allow data retrieval.
    Things with microphones.. you know.. listen.
    Companies operating in a country, under that country’s laws, and having to co-operate with law enforcement, have to.. you know.. co-operate.

    With closed source hardware, proprietary protocols, closed software, how do you know the device is [only] doing what it says on the box? And open source is only built by humans, who make mistakes.

    The most secure computer is the one that is unplugged and switched off.

    What I’m more worried about is gangsters doing this, or perhaps other governments, and sometimes as part of corporate espionage.

Comments are closed.