Last Tuesday, the WikiLeaks organization released a cache of almost 9,000 documents allegedly leaked from the CIA. Dubbed “Vault 7,” these documents are said to detail everything from CIA trade secrets to, oddly enough, Internet memes and geek-culture references shared between agents. While the public is aware that this treasure-trove of information details CIA hacking programs, now that the dust has settled, the broader relevance to us, as consumers, is just now becoming clearer. Here’s what you should know about the CIA toolkits leak.
The CIA toolkits contain out-of-date malware and program exploits
Excluding the memes and correspondence captured in the leak, the information mostly appears to be hacking best practices and hacking toolkits. The toolkits predominately consist of malware and program exploits, but given how old some of the kits seem to be, it’s likely they the information is no longer valid, as technology is constantly being updated — meaning your devices for the most part should be fine.
While on the surface the information appears to be a bombshell, with some even comparing the leaks to the Snowden revelations, many experts have refrained from such language. For example, some have pointed out that a number of the exploits and malware in these toolkits were already common knowledge among hackers. Others have pointed out that this behavior is well within the CIA’s established playbook, which means it isn’t clear that the agency has done anything illegal.
What seems to be the clearest rebuke, though, is that the CIA sat on these tools, specifically zero-day (or day zero) exploits, rather than sharing the information with security experts to make systems more secure. These so-called zero-day exploits aim to target unnoticed vulnerabilities present in a program as soon as the developer publishes it — or on day zero, so to speak. Developers trying to respond to such vulnerabilities have “zero days” to react because they usually only learn of these security flaws once they’ve already been exploited by hackers. Since most the tools in the CIA’s arsenal are ones that nearly any hacker could have used – either by stealing them from the CIA or learning about them independently – critics argue that the CIA could have kept citizens safer by sharing these exploits, rather than stockpiling them.
The CIA likely didn’t engage in mass surveillance (but that’s not entirely reassuring)
Given the nature of the CIA toolkits, and the purpose of the CIA, it’s fairly likely that nothing was used on anyone other than specified targets. Since exploits, especially zero-day exploits, made up some number of the CIA’s tools, indiscriminate usage of these tools would have likely drawn attention to security vulnerabilities, making the tools useless. In addition, it seems that a few of the tools, such as the infamous Samsung Smart TV exploit, dubbed “Weeping Angel,” required USB sticks and physical access to devices – two factors that make their widespread usage unlikely.
Although it has yet to be determined if anyone other than foreign targets fell victim to these tools, what we currently know does not suggest anything to the contrary. WikiLeaks claims, however, that it released less than 1% of the information it currently has on the CIA, so it’s entirely possible that future leaks might contain proof of unwarranted surveillance on Americans.
The leaks don’t prove that the CIA broke encrypted apps — good news for consumers
WikiLeaks seemed to suggest that the CIA cracked the end-to-end encryption of chat programs like Signal and WhatsApp, but evidence proves this isn’t true. Instead, the CIA used precise malware injection techniques to take over target devices’ operating systems. Encryption still works, and many websites and services are starting to provide encryption by default, making it harder for people to snoop on your activity remotely. Of course, if your machine is infected with malware, you’ve been phished or someone is looking over your shoulder, then none of your activity will be hidden.
Leaked exploits have already been patched or will be patched
As we’ve stated before, some of these tools come from 2013, 2014 and 2015 so it’s likely that any software updates pushed by tech companies in the last few years would have reduced, if not eliminated the effectiveness of some of these vulnerabilities. Additionally, WikiLeaks has promised to share the details of these toolkits with tech firms so that any lingering vulnerabilities can be patched and consumers can be protected.
Technology is not as secure or private as you think
While the CIA’s actions might be shocking, one of the biggest takeaways is the reaffirmation of how insecure modern technology can be. Sadly, a lot of the CIA’s tools were merely exploits of existing vulnerabilities in software, something that any hacker with enough time could find and take advantage of. What’s worse is that new research suggests that the number of zero-day vulnerabilities in technology could be higher than we suspect, especially if the CIA isn’t sharing that information with tech companies.
This means that your first line of defense when it comes to protecting your privacy and identity is making sure you’re selective about what technologies you let into your life. Reading the terms of service for any product or service you’re interested in, paying special attention to any clauses regarding privacy and security, is the first step. If the terms of service explicitly state that data is shared or collected, be aware that if the company, product or service becomes compromised, so too does your privacy. Similarly, if a smart device doesn’t allow you to add your own password or promise regular firmware updates – even if it’s something as innocuous as a lightbulb – you should assume it could be compromised and potentially controlled by hackers, as was the case during last year’s massive Internet DDoS attack. Hacked smart devices can also be used to infiltrate your home network, monitor you or even steal your identity.