What has happened?
WikiLeaks, the whistleblowing website run by Julian Assange, has released a cache of documents it calls “Vault 7”, which contains details of hacking tools used by the CIA.
What is in ‘Vault 7’?
WikiLeaks said 7,818 web pages and 943 attachments were published, but were just the first part of more material to come. WikiLeaks said it has an entire archive of data consisting of several million lines of computer code. The documents appear to date between 2013 and 2016. WikiLeaks described them as “the largest ever publication of confidential documents on the agency”.
The files describe CIA plans and descriptions of malware and other tools that could be used to hack into some of the world’s most popular technology platforms. The documents showed that the developers aimed to be able to inject these tools into targeted computers without the owners’ awareness.
The files do not describe who the prospective targets might be, but the documents show broad exchanges of tools and information between the CIA, the National Security Agency and other US federal intelligence agencies, as well as intelligence services of close allies Australia, Canada, New Zealand and the United Kingdom.
What does this mean the CIA can do?
A broad range of devices are targeted by the agency. A lot of attention is focused on breaking into general-purpose computing devices, including PCs and smartphones, with malware that affects iOS and Android phones referred to in the text, as well as Windows and Linux computers.
The tools described would allow the CIA to take almost complete remote control of a user’s phone, turning it into a complete spying device reporting back to the agency. But it would only do so on the most important targets, since each time the agency uses the malware, it runs the risk of being discovered, prompting manufacturers to release a fix to prevent future attacks from succeeding.
Exactly that happened in August 2016, when Apple issued a global iOS update after three attacks implemented to try and break into the iPhone of an Arab human rights activist were discovered.
The documents also include discussions about compromising some internet-connected Samsung televisions to turn them into listening posts. That hack, like many others, would only work in an extremely targeted manner: it requires physical access to the TV in question, since the malware is loaded via a USB port.
One other document discusses hacking vehicle systems, appearing to indicate the CIA’s interest in hacking recent-model cars with sophisticated onboard computer systems.
Why am I hearing names like Weeping Angel and Nandao?
The purported CIA documents range from complicated computer coding to organisational plans to sarcastic comments about the tools’ effectiveness. The comments paint a picture of an agency filled with fairly typical developers, who like to share emojis, discuss the best text editors, and make pop culture references in their code.
Some of the tools in the release were named after alcohol references, including Bartender, Wild Turkey and Margarita. Others referenced popular movies, including Fight Club and Talladega Nights. One hacking tool, codenamed RickyBobby, after the character who is a race car driver in Talladega Nights, was purportedly used to upload and download information “without detection as malicious software”.
The Samsung malware, developed in conjunction with Britain’s GCHQ, is called Weeping Angel, apparently named after a Doctor Who villain.
Who’s behind the leak?
WikiLeaks said the material came from “an isolated, high-security network” inside the CIA’s Center for Cyber Intelligence, the spy agency’s internal arm that conducts cyber offence and defence. It said the documents were “circulated among former US government hackers and contractors in an unauthorised manner, one of whom has provided WikiLeaks with portions of the archive”. It did not make it clear who was behind the leak, leaving several possibilities: espionage, a rogue employee, a theft involving a federal contractor or a break-in of a staging server where such information may have been temporarily stored.
Is there more coming from ‘Vault 7’?
Wikileaks has promised further releases of information in the future, but has given no date to expect them, nor said what might be contained in them.
The organisation has also suggested that some of the data redacted from the initial release, such as all of the actual computer code, might be released down the line, once it has determined whether it poses a risk.
How has the CIA and US government responded to the release?
A spokesman for the CIA said the agency would not comment “on the authenticity or content of purported intelligence documents”. Trump administration spokesman Sean Spicer declined comment as well.
What have the manufacturers of the targeted devices said?
Apple, one of numerous tech companies whose devices appear to have been targeted, released a statement late on Tuesday saying many of the vulnerabilities described by the documents were already fixed as of the latest version of its iOS mobile operating system, and aimed to reassure customers that it was working on patching the rest of the holes.
It said: “While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities,” it added. “We always urge customers to download the latest iOS to make sure they have the most recent security updates.”
Microsoft and Samsung both said they looking into the reports. The maker of the secure messaging app Signal said the purported tools described in the leaked documents appeared to affect users’ actual phones, but not its software designs or encryption protocols. The manufacturer of the popular Telegram mobile messaging app said in a statement that manufacturers of mobile phones and their operating systems, including Apple, Google and Samsung, were responsible for improving the security of their devices. It said the effort will require “many hours of work and many security updates” and assured its customers: “If the CIA is not on your back, you shouldn’t start worrying yet.”
Am I at risk of being spied on?
Unlike the NSA, which practices on large-scale “SIGINT”, or signals intelligence, the CIA tends to focus on targeted surveillance. The cost of carrying out the attacks described is high, and each time they are used risks them being rendered useless if they are discovered and fixed. That means that it’s unlikely the CIA is using such techniques to hack millions of TV sets at once – not least because that particular hack requires physical access to the TV.
The Agency’s need for targeted attacks on smartphones and other devices is in part due to the general success in encrypted communications. Despite carefully-phrased claims from Wikileaks, the documents contain no indication that encrypted messaging apps such as WhatsApp and Signal have been broken. But if the phone they are running on is compromised at the root level, even the most secure app can’t guarantee its users safety.
As a result, encrypted communication developers are hailing the leaks as evidence of their success. “Ubiquitous [end-to-end] encryption is pushing intelligence agencies from undetectable mass surveillance to expensive, high-risk, targeted attacks,” Open Whisper Systems said in a tweeted statement on Tuesday. “The story isn’t about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what we’re doing is working.”
Is there anything I can do to help ensure privacy?
Security researcher Matt Blaze shared his tips on Twitter: “What can you do as a user to defend? Boring stuff. Keep your software up to date. Don’t run unneeded apps.” But, most important of all: “Don’t become a CIA target.”