CIA Hacking Tools are the Biggest "So What" of 2017: WikiLeaks' newly released Vault 7 trove is a tantalizing study in how one of the world's premiere intelligence agencies hacks devices. Analysts and experts have signaled that this leak appears authentic based on some clues in the content. But while it may ultimately be comparable in size to the Snowden or Manning leaks, it lacks the "wow" factor that made those landmark whistleblowing cases so important. What lessons are to be learned from the leaks, and how should we apply them to our personal digital lives?
Whodunit? the identity of the person who leaked these documents will be one of the more interesting elements of the story, but for now, it is still unclear who provided these files to the WikiLeaks organization. It has been alleged that these documents left CIA control and were handled by a variety of people within the US Government, increasing the pool of potential suspects. The motivation for these leaks remains unclear as well. WikiLeaks alleges that the CIA's cyber capabilities amount to an even more covert NSA that had little accountability. But while programs like those revealed by Snowden were never really well-kept secrets due to their size, there's nothing in the Vault 7 leaks that indicates something of the scope or scale of the NSA's programs. And nothing at all that leads readers to believe these were ever used against US persons.
Nothing new under the Cyber Sun: Only a few hours after the leak, observers have had a chance to look through only a small amount of the take, but a few trends emerge, none of which should shock cybersecurity professionals:
- Smart devices are hacking targets – The CIA is seeking to exploit technology that has significant market position and would likely be found in the hands or homes of legitimate espionage targets: iOS, Android, and Smart TVs for example. Only the willfully ignorant would not recognize the inherent risks of carrying GPS-enabled microphones and cameras in our pockets all the time, but that's exactly what a smart phone is. Likewise, the brief from Wikileaks (and subsequent echoes from the world's press this morning) suggests that vehicle control systems could be used for "nearly undetectable assassinations." What is more likely — given this program's location on a list of technologies that are decidedly not explosive — is the ability to listen in to microphones and vehicle telemetry data, aided by the embedded mobile phones in modern cars.
- Encrypted messaging is still secure, as long as you control your phone – Despite misleading reporting, the Vault 7 documents don't expressly say that the CIA can break any of the encryption in major encrypted chat applications. Instead, they're looking for ways to grab the data before it's encrypted. This has been the weak point in encrypted systems since the dawn of the industry.
- Zero Days are still king – Throughout the leaked documents, it's clear that the unidentified vulnerabilities in mobile devices are the most sought after tools in the cyber spy's toolbox. This was true when the catalog of HackingTeam tools was outed, and remains true today.
"I Spy" some policy challenges for the US administration: these new leaks are unlikely to be such a shock to the system and have such wide-ranging consequences of high-profile breaches that have preceded it. However, a leak of this magnitude will reverberate and have consequences for government policy.
- Snowden will continue to haunt – after years of trying to live down the reputational damage of the Snowden disclosures, this leak promises to rekindle the spirit of 2013. Many internationally (and domestically) will seize upon this latest revelation as further grounds to beat up on US surveillance practices, and for many governments as justification for their own protectionist practices that keep out US-based technology. With their moral authority further diminished, American officials will have a tougher time pushing back against these barriers.
- More ammunition for the crypto wars – while the IC still doesn't have a way to break high-end commercial encryption, this disclosure puts some of their work-arounds on very public display. And, as patches to vulnerabilities that were spotlighted are rolled out, some of their entry points to target devices may begin to close. When high-profile fights between tech, law enforcement, and civil libertarians return this year — as is widely expected — opponents of strong encryption will be newly reminded that some information is still beyond law enforcement's reach and that work-arounds are fragile.
- The Trump-IC rift may widen – the leak comes at an awkward time for a Trump administration already beset by leaks related to its policymaking activities. The US government is roiled by a very public spat between the intelligence community and the new administration. Much of the tension stems from leaks the administration is trying desperately to control, in the case of Michael Flynn of information likely gathered through electronic surveillance. The CIA probably shouldn't expect much love from a sullen White House, who may feel they are getting their just desserts.
Weakening American cyber power: Instead of revealing a program which may be damaging to America's democracy or its alliances, as Snowden and Manning believed they were doing, this leaker appears to be motivated primarily to reduce America's cyber firepower and potentially arm its adversaries and criminal groups. There are two key ways this will happen:
- First, intelligence agencies from Beijing to Buenos Aires will spend significant resources over the coming weeks to determine what tools the CIA may have launched against them.
- Second, criminal organizations, now attuned to the presence of zero-day vulnerabilities in software will try to figure out their own ways to identify and exploit them. This could be the most damaging aspect of the leaks: an uptick in financially-motivated criminal hacking using nation-state cyber weapons.
Securing your personal cyber space: That these tools exist to take advantage of our increasingly connected world and digital selves should come as no surprise. Undoubtedly, vendors are combing through this as well, to issue patches and secure their users. But what can the individual users from the West Wing to the West Bank do today to keep themselves from falling victim to the use of these tools by criminal groups?
- Know what devices are online – Mobile phones are one key area covered in these leaked documents. But IoT devices like Connected Cars and Smart TVs are also always-on, microphone enabled devices. If you want to improve your life, these are awesome technologies that should be welcomed into your home. If you're going to have a private conversation that you want to keep private, do it away from these prying digital ears. If Mark Zuckerberg puts a post-it over his laptop camera, maybe you should, too.
- Physical access is still sometimes necessary – One interesting element that emerges in the Vault 7 documents is the need for physical access to conduct some kinds of attacks. Keeping your most sensitive devices secure has always been a challenge. And encrypt data when at rest or in motion, because...
- ...Breaking encryption is hard – So hard, in fact, that the CIA appears to favor access to devices over trying to break out of encrypted apps. Whatsapp, Signal, Wickr, Silent Circle are all still part of a formidable encrypted app ecosystem.
- Don't forget your antivirus – While lots of commentators have come out against AV in the past couple years, it would appear that America's cyber spies still are concerned about it. AV remains the cheapest and best thing you can do to combat the daily onslaught of cybercrime.
- Be careful what you click on – Most of the attacks outlined so far in the Vault 7 documents required executing a file. So be careful of unfamiliar links and files. Think critically about the contents of an email before opening an attachment. Practice safe surfing.
By Ryan Johnson, Senior Manager, International Public Policy at Access Partnership
Related topics: Policy & Regulation, Security