Spy dump shows depth of access
WikiLeaks has published the CIA’s entire cyber-attack playbook.
In just the first tranche of what WikiLeaks is calling “Year Zero”, over 8700 files detailing a range of hacks and ‘zero day exploits’ from between 2013 and 2016 have been dumped online.
Some of the backdoors into devices were developed by the CIA, while others were purchased. Given that manufacturers were not informed of the exploits, it shows the US Government has paid money to keep its citizens unsafe.
The documents show the CIA's hacking division had over 5000 people on the books producing more than a thousand hacking systems, trojans, viruses, and other “weaponized” malware.
The leaks show detailed information on how to use virtually any internet-capable device for covert surveillance, including how to gain deep access to computers, mobile phones, smart watches, glasses, TVs and fridges.
Remember in 2015 when Samsung warned people about what they say in front of their TVs? The CIA has a technique called the ‘Weeping Angel’ which allows it to make a Samsung TV appear that it is switched off (turning off the screen and LEDs) while allowing the microphone to actively record.
Of particular concern is a section on taking command of a car for the purposes of assassination.
Software coding runs virtually every part of a modern car, and by gaining access through the CAN bus, the documents show that everything down to the code that tells brakes to engage can be modified or removed. Important people have died in suspicious car crashes, and even international jets are known to veer off course and mysteriously disappear.
But that is just the beginning - there is also a giant archive of cyber-attack tools gathered from other sources (including Russia), along with manuals showing how to create the ‘fingerprints’ of the groups that the attack techniques were stolen from.
This means that any given cyber attack can be misleadingly attributed to virtually any source, and intelligence agencies can create the evidence to prove it.
But this power is not limited to the CIA, especially because vulnerabilities in its practices have led to the entire archive already being leaked and distributed among private security operators, and presumably other governments.
“To attack its targets, the CIA usually requires that its implants communicate with their control programs over the internet,” WikiLeaks says.
“If CIA implants, Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet.
“Consequently the CIA has secretly made most of its cyber spying/war code unclassified. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution.
“This means that cyber 'arms' manufactures and computer hackers can freely ‘pirate’ these 'weapons' if they are obtained.
“The CIA has primarily had to rely on obfuscation to protect its malware secrets.”
WikiLeaks has been criticised for the content and timing of its release, but the organisation says it has removed ‘weaponized’ lines of code, as well as redacted names, email addresses and external IP addresses in the released pages (70,875 redactions in total) until further analysis is complete.
Tech and security firms are rushing to contain the damage from the security weak points.
Sinan Eren, vice-president of Czech anti-virus software maker Avast, says Apple and Google should supply security firms with privileged access (like the CIA’s enjoys) to their devices to help create immediate fixes.
“We can prevent attacks in real time if we are given the hooks into the mobile operating system,” Mr Eren told reporters.
“If we can drive a paradigm shift where mobile platforms don't shut off access, we'll be better able to detect when hackers are hiding in a mobile [phone].”
Apple has issued a statement saying its current iOS security patches address many of the problems, but because the documents are from 2016, it is impossible to know whether these fixes have been thwarted.
Google is yet to comment, while Microsoft says; “We're aware of the report and are looking into it”.
The moment you realize that you don't watch TV. TV watches you!#Vault7 #Wikileaks pic.twitter.com/gK533DmVFb
— Tennessee (@TEN_GOP) March 7, 2017