Wikileaks released on Tuesday thousands of pages of what appears to be the largest leak of C.I.A documents in history, describing hacking tools and techniques allegedly used by the agency to penetrate internet-connected devices such as smartphones, computers and even smart TVs. The documents include instructions for compromising a wide range of common computer and devices through a detailed and technical catalog of tools and techniques, exploiting security breaches found in Skype, Wi-Fi networks, PDF documents, and even widely used antivirus software.
According to WikiLeaks, the initial release of 7,818 web pages and 943 attachments is only the first in a series of what appears to be a much larger secret data collection: the entire archive would supposedly consist of several hundred million lines of computer code, and the release only accounts for 1% of Vault 7. In an effort to avoid disclosing sensitive material such as actual code for cyberweapons, a lot of those documents were partly redacted by WikiLeaks editors themselves. The files include far more pages than the Snowden files, according to Julian Assange, and that’s bad news for the C.I.A., which uses the vast hacking power detailed in the files to carry out spying operations on foreign targets.
The documents, all dated from 2012 to 2016, describe how the C.I.A. and allied intelligence services allegedly managed to compromise Apple and Android smartphones, which could induce a lot of consequences in the tech world if confirmed. The techniques would allow government hackers to bypass the encryption on popular services like Signa, Whatsapp and Telegram, and to collect messages, both written and audio, before the encryption is applied, shaking claims made by Facebook that the encryption of its services was unbreakable. C.I.A. officials refused to confirm the authenticity of the documents, but a government official declared they were real, while a former intelligence officer admitted that some of the content (including code names for programs, the description of a C.I.A. hacking base and an organization chart) appeared to be genuine.
The huge trove of documents appeared to take the agency by surprise on Tuesday morning, with a C.I.A. spokesman, Dean Boyd, declaring “We do not comment on the authenticity or content of purported intelligence documents”, and understandably, the release being a severe hit to take for an agency relying on secrecy for its operations. However, the files do not include examples of the way the techniques and tools may have been used against foreign users or targets, which could potentially limit the damage to a national scale. According to WikiLeaks, the C.I.A. “lost control of its arsenal”, and the documents confirmed several suspicions that its hacking abilities were far more advanced than initially thought.
Even if there is no actual evidence that the hacking tools disclosed in the files were used by the C.I.A. against Americans, Ben Wizner, director of the American Civil Liberties Union’s Speech, Privacy, and Technology Project, suggests that the government would have deliberately allowed vulnerabilities in phones and other devices in an effort to make spying easier, and raised concerns about the impact those vulnerabilities could have : “Those vulnerabilities will be exploited not just by our security agencies, but by hackers and governments around the world,” he added. “Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”
At a time of increasing concern regarding online privacy, it is still important to note that the revelations do not assert the encryption of the popular messaging apps can be broken, what it does say is that the C.I.A. found ways to bypass them by compromising the operating systems of the devices, be it iOS or Android, and intercepting the messages and calls before the encryption is even applied. Using this approach, the C.I.A. could even gain access to the content of any given smartphone and dispose of its data, since no actual encryption protocol could protect a devices’ content if its system has been compromised.
In the past, WikiLeaks, has already been accused of leaking potentially harmful information, which is why it seems the group decided to delete names and other identifying information from the release, as a mean to prevent the information to be used as potential weapons “until a consensus emerges on the technical and political nature of the C.I.A.’s program and how such ‘weapons’ should be analyzed, disarmed and published.”
The files show that smartphones are far from being the only targeted devices, with smart TVs, and specifically Samsung ones, being used as listening devices without the knowledge of the users with the help of a program code-named Weeping Angel, even when the TVs appear to be turned off. The televisions would then “operate as a bug, recording conversations in the room and sending them over the internet to a covert C.I.A. server.” It would be fair to wonder that, if C.I.A. agents did manage to hack the smart TVs, surely they would not be the only ones. The sets have been attracting a lot of attention from hackers and security experts as their recording and transmitting features are seen as a potentially dangerous vulnerability.
As a response to the issue in early 2015, Samsung started to include in the fine print terms of service for its smart TVs a warning that the television could potentially capture background conversations: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”
The WikiLeaks material also includes lists of software tools that the C.I.A. uses to create exploits and malware to carrying out hacking, a lot of them being tools used by regular developers all around the world such as Python, Sublime Text, or Git. However, the agency also appears to use specific spying software products such as Ghidra, which is described in one of the files as “a reverse engineering environment created by the N.S.A.”
The Vault 7 release is only the latest in a series of massive leaks that have changed the landscape for government and corporate secrecy in the past few years. The Vault 7 archives seem to be similar in scale to the biggest leaks of classified information, such as the quarter-million diplomatic data released on WikiLeaks in 2010 thanks to Chelsea Manning, former Army intelligence analyst, and much larger than the thousands of documents released by Edward Snowden in 2013. The ease of downloading and transferring data online has dramatically increased risks of government and corporate leaks in the past few decades, which would tend to suggest a lot more compromising documents might resurface sooner or later.