Home / Blogs

WikiLeaks' Vault 7: CIA Gives a Free Lesson in Personal Cyber Security

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Ryan Johnson

CIA Hacking Tools are the Biggest "So What" of 2017: WikiLeaks' newly released Vault 7 trove is a tantalizing study in how one of the world's premiere intelligence agencies hacks devices. Analysts and experts have signaled that this leak appears authentic based on some clues in the content. But while it may ultimately be comparable in size to the Snowden or Manning leaks, it lacks the "wow" factor that made those landmark whistleblowing cases so important. What lessons are to be learned from the leaks, and how should we apply them to our personal digital lives?

Whodunit? the identity of the person who leaked these documents will be one of the more interesting elements of the story, but for now, it is still unclear who provided these files to the WikiLeaks organization. It has been alleged that these documents left CIA control and were handled by a variety of people within the US Government, increasing the pool of potential suspects. The motivation for these leaks remains unclear as well. WikiLeaks alleges that the CIA's cyber capabilities amount to an even more covert NSA that had little accountability. But while programs like those revealed by Snowden were never really well-kept secrets due to their size, there's nothing in the Vault 7 leaks that indicates something of the scope or scale of the NSA's programs. And nothing at all that leads readers to believe these were ever used against US persons.

Nothing new under the Cyber Sun: Only a few hours after the leak, observers have had a chance to look through only a small amount of the take, but a few trends emerge, none of which should shock cybersecurity professionals:

  • Smart devices are hacking targets – The CIA is seeking to exploit technology that has significant market position and would likely be found in the hands or homes of legitimate espionage targets: iOS, Android, and Smart TVs for example. Only the willfully ignorant would not recognize the inherent risks of carrying GPS-enabled microphones and cameras in our pockets all the time, but that's exactly what a smart phone is. Likewise, the brief from Wikileaks (and subsequent echoes from the world's press this morning) suggests that vehicle control systems could be used for "nearly undetectable assassinations." What is more likely — given this program's location on a list of technologies that are decidedly not explosive — is the ability to listen in to microphones and vehicle telemetry data, aided by the embedded mobile phones in modern cars.
  • Encrypted messaging is still secure, as long as you control your phone – Despite misleading reporting, the Vault 7 documents don't expressly say that the CIA can break any of the encryption in major encrypted chat applications. Instead, they're looking for ways to grab the data before it's encrypted. This has been the weak point in encrypted systems since the dawn of the industry.
  • Zero Days are still king – Throughout the leaked documents, it's clear that the unidentified vulnerabilities in mobile devices are the most sought after tools in the cyber spy's toolbox. This was true when the catalog of HackingTeam tools was outed, and remains true today.

"I Spy" some policy challenges for the US administration: these new leaks are unlikely to be such a shock to the system and have such wide-ranging consequences of high-profile breaches that have preceded it. However, a leak of this magnitude will reverberate and have consequences for government policy.

  • Snowden will continue to haunt – after years of trying to live down the reputational damage of the Snowden disclosures, this leak promises to rekindle the spirit of 2013. Many internationally (and domestically) will seize upon this latest revelation as further grounds to beat up on US surveillance practices, and for many governments as justification for their own protectionist practices that keep out US-based technology. With their moral authority further diminished, American officials will have a tougher time pushing back against these barriers.
  • More ammunition for the crypto wars – while the IC still doesn't have a way to break high-end commercial encryption, this disclosure puts some of their work-arounds on very public display. And, as patches to vulnerabilities that were spotlighted are rolled out, some of their entry points to target devices may begin to close. When high-profile fights between tech, law enforcement, and civil libertarians return this year — as is widely expected — opponents of strong encryption will be newly reminded that some information is still beyond law enforcement's reach and that work-arounds are fragile.
  • The Trump-IC rift may widen – the leak comes at an awkward time for a Trump administration already beset by leaks related to its policymaking activities. The US government is roiled by a very public spat between the intelligence community and the new administration. Much of the tension stems from leaks the administration is trying desperately to control, in the case of Michael Flynn of information likely gathered through electronic surveillance. The CIA probably shouldn't expect much love from a sullen White House, who may feel they are getting their just desserts.

Weakening American cyber power: Instead of revealing a program which may be damaging to America's democracy or its alliances, as Snowden and Manning believed they were doing, this leaker appears to be motivated primarily to reduce America's cyber firepower and potentially arm its adversaries and criminal groups. There are two key ways this will happen:

  • First, intelligence agencies from Beijing to Buenos Aires will spend significant resources over the coming weeks to determine what tools the CIA may have launched against them.
  • Second, criminal organizations, now attuned to the presence of zero-day vulnerabilities in software will try to figure out their own ways to identify and exploit them. This could be the most damaging aspect of the leaks: an uptick in financially-motivated criminal hacking using nation-state cyber weapons.

Securing your personal cyber space: That these tools exist to take advantage of our increasingly connected world and digital selves should come as no surprise. Undoubtedly, vendors are combing through this as well, to issue patches and secure their users. But what can the individual users from the West Wing to the West Bank do today to keep themselves from falling victim to the use of these tools by criminal groups?

  • Know what devices are online – Mobile phones are one key area covered in these leaked documents. But IoT devices like Connected Cars and Smart TVs are also always-on, microphone enabled devices. If you want to improve your life, these are awesome technologies that should be welcomed into your home. If you're going to have a private conversation that you want to keep private, do it away from these prying digital ears. If Mark Zuckerberg puts a post-it over his laptop camera, maybe you should, too.
  • Physical access is still sometimes necessary – One interesting element that emerges in the Vault 7 documents is the need for physical access to conduct some kinds of attacks. Keeping your most sensitive devices secure has always been a challenge. And encrypt data when at rest or in motion, because...
  • ...Breaking encryption is hard – So hard, in fact, that the CIA appears to favor access to devices over trying to break out of encrypted apps. Whatsapp, Signal, Wickr, Silent Circle are all still part of a formidable encrypted app ecosystem.
  • Don't forget your antivirus – While lots of commentators have come out against AV in the past couple years, it would appear that America's cyber spies still are concerned about it. AV remains the cheapest and best thing you can do to combat the daily onslaught of cybercrime.
  • Be careful what you click on – Most of the attacks outlined so far in the Vault 7 documents required executing a file. So be careful of unfamiliar links and files. Think critically about the contents of an email before opening an attachment. Practice safe surfing.

By Ryan Johnson, Senior Manager, International Public Policy at Access Partnership

Related topics: Policy & Regulation, Security



To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?