The latest dump from WikiLeaks of CIA documents detailing the US spy agency’s ability to exploit vulnerabilities in smartphones, computers and widely used devices such as wi-fi routers is being described by experts as bigger than Edward Snowden’s leaks on the National Security Agency.
WikiLeaks has said it obtained the trove of documents from one of the former US government hackers and contractors among whom the files had circulated in an unauthorized manner.
Most of the CIA’s programs exploited “zero day” vulnerabilities, or undisclosed weaknesses in software that can used by hackers to affect or gain access to data or programs. It is so-named because the weakness is not known till it is exploited by hackers, leaving the software’s author “zero days” to create patches to address the vulnerability.
Here are five things you need to know about the of leak of nearly 9,000 documents from the CIA’s Center for Cyber Intelligence about the agency’s cyber-espionage efforts.
1. Encrypted chat apps haven’t been compromised but smartphones are vulnerable:
The CIA has not yet cracked the end-to-end encryption tools of apps such as Signal and WhatsApp, which are used by more than a billion people, but the spy agency can compromise the smartphones used to send and receive messages through such apps. This means the CIA can access data, videos, images and even the camera and microphone on the devices.
The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.— Open Whisper Systems (@whispersystems) March 7, 2017
The story isn't about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what we're doing is working.— Open Whisper Systems (@whispersystems) March 7, 2017
2. How vulnerable are your smartphones?
According to WikiLeaks, the CIA’s Mobile Devices Branch has “developed numerous attacks to remotely hack and control popular smartphones”, which can be instructed to send the “user’s geo-location, audio and text communications as well as covertly activate the phone’s camera and microphone”.
A specialised CIA unit targeted Google’s Android software, which powers almost 85% of the world’s smartphones (including millions of devices in India). As of 2016, WikiLeaks said, the CIA had weaponised 24 Android “zero days” that it either developed itself or obtained from GCHQ, NSA and cyber arms contractors.
Another unit targeted iPhones, which have a minority share of less than 15% of the global market, and iOS devices because of the popularity of iPhones and Apple devices “among social, political, diplomatic and business elites”.
3. What other devices can the CIA access?
According to WikiLeaks, the spy agency can target computers running on Windows, Apple products running iOS, and even smart TVs from manufacturers such as Samsung. “As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks. The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations,” WikiLeaks said.
WikiLeaks said the CIA and Britain’s MI5 had developed “Weeping Angel”, which could be used to turn smart TVs into covert microphones. It added that “Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on, and the TV “operates as a bug, recording conversations…and sending them over the internet to a covert CIA server”.
4. Who were the targets of the surveillance?
WikiLeaks said it was redacting “ten of thousands of CIA targets and attack machines throughout Latin America, Europe and the US”. Among the list of possible targets were “Asset”, “Liason Asset”, “System Administrator”, “Foreign Information Operations”, “Foreign Intelligence Agencies” and “Foreign Government Entities” and references to extremists or transnational criminals were “notably absent”, it added.
5. Are you at risk?
If you own an iPhone, Android smartphone or tablet, Windows computer or Samsung smart TV, its vulnerabilities could theoretically be exploited by the CIA. But unless you are a target of the US spy agency, it’s unlikely someone at Langley is snooping on you.