Naked Security

WikiLeaks dump shows CIA can use IoT to hack ‘anything, anywhere’

WikiLeaks’ release of 8,761 pages of internal CIA documents makes this much abundantly clear: the agency has built a monster hacking operation – possibly the biggest in the world – on the backs of the many internet-connected household gadgets we take for granted.

That’s the main takeaway among security experts Naked Security reached out to after the leak went public earlier Tuesday.

Recap of events

For those just hearing the news, here’s a review of the last several hours:

WikiLeaks Tuesday launched a new series of leaks on the US Central Intelligence Agency it calls “Vault 7”. It claims this will represent the largest dump of confidential documents on the agency in history. The first full part of the series is called “Year Zero” and includes documents and files from an isolated, high-security network inside CIA headquarters in Langley, Virginia.

Wikileaks said in its press release that Year Zero introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of zero-day weaponized exploits against a wide range of US and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are apparently turned into covert microphones.

It’s that mastery of Internet-of-Things (IoT) technology that has caught the attention of experts.

Hacking anything, anywhere

Eric Cowperthwaite, former VP of strategy for Core Security and now director of managed risk services for Edgile, said the CIA has built a capability to hack pretty much anything, anywhere. The CIA potentially has more ability now to intrude into servers, computers, smartphones and electronic communications than even the NSA.

Unfortunately, he added:

This capability is now in the hands of people other than the CIA. All the things you’ve read that seem like science fiction movie plots are really true. Other people can listen to you via your smart TV, can read your email, turn on the webcam on your laptop, without you ever knowing.

Christian Renaud, a 451 Research director specializing in IoT, said there are three possible scenarios at play:

  1. It’s all a smear campaign by the Russians, Chinese or others to raise concerns about the US intelligence community;
  2. It’s not a smear campaign and the NSA helped leak CIA sensitive data to gain points on the CIA, their rival; or
  3. A third party penetrated the CIA and leaked the information à la Snowden to raise awareness of what can only be described as a methodical security war against enemies and US citizens by an intelligence agency.

If the latter is true, he said:

Your government has been using your own devices to spy on you without warrant. If you’re not upset, you should be.

Sobering, but hardly surprising

Though the information certainly has a chilling effect among privacy rights advocates, security experts say the narrative should be of little surprise.

Nick Selby, CEO of the Secure Ideas Response Team, said that if anyone had been thinking that government agencies have avoided a full-scale embrace of the cyber-weapons arena or held out hope that “We don’t do that kind of thing,” then this should settle the score once and for all.

That does not mean that the CIA – or any other government agency – is spying on ordinary American citizens. It is evidence, though, that it has worked hard to maintain a stockpile of cross-platform cyberweapons that make both targeted and mass surveillance possible, despite a range of advances in cryptographic communications tools in the hands of the public. 

In the grand scheme of things, Selby said, this is something every government engages in, and the CIA would have been remiss in its duties had it not been engaged in these activities:

For anyone to suggest that there is something inherently shady or disagreeable about an intelligence agency developing tools with which it can conduct intelligence operations for the purpose of intelligence gathering is to misunderstand the purpose of intelligence agencies. 

Cowperthwaite added:

Much of this has been suspected, or reported on, over the years. To a great extent, this is corroboration of things already leaked out to the public. And it likely doesn’t represent state of the art.

Is WikiLeaks helping or harming?

Of course, whenever WikiLeaks dumps a bunch of information this way, the question must be asked: is it helping us be a better society by making us more aware, or is it simply generating chaos?

Cowperthwaite is torn, and brings up the example of Chelsea Manning, a United States Army soldier convicted by court-martial in 2013 for violating the Espionage Act and other offenses, after giving WikiLeaks nearly three-quarters of a million classified and/or sensitive military and diplomatic documents.

There is good and bad in this. We know that some of the Manning leaks had impacts on military operations. That was part of Manning’s trial. I also found it interesting that Wikileaks alleges that the US Intelligence Community has a problem keeping its cyberwar tools off the black market. And if the CIA, NSA, etc. can’t keep these things under control, that is something that citizens should know.

The debate over the CIA’s capabilities and the pros and cons of WikiLeaks’ document dumps won’t be ending anytime soon. As those interviewed note, today’s release was just the first installment.