WikiLeaks today published a cache of 8,761 secret documents detailing tactics the United States Central Intelligence Agency (CIA) relies on for breaching iPhones, iPads, Android smartphones and tablets, Windows PCs and even routers and smart TVs. It’s currently unclear if the documents—available to peruse on the group’s website—have serious privacy and security implications. Dubbed “Vault 7”, the leak has been teased on WikiLeaks’ Twitter account for a few weeks prior to its release.
Leaked documents prove that the agency is in possession of so-called “zero day” exploits for a number of platforms, including Windows, macOS, Solaris, Linux and more. Though nothing new, the development is newsworthy because zero day exploits are commonly unknown to Apple and the security community at large.
In addition to obtaining exploits from GCHQ, NSA and FBI—or buying them from cyber arms contractors such as Baitshop—the CIA runs a specialized unit within its Center for Cyber Intelligence that’s solely focused on developing exploits for iOS devices.
These tools allow the CIA to take control of target iOS devices and exfiltrate data from iOS devices. “The disproportionate focus on iOS may be explained by the popularity of the iPhone among social, political, diplomatic and business elites,” says WikiLeaks.
The organization added:
The same vulnerabilities exist for the population at large, including the U.S. Cabinet, Congress, top CEOs, system administrators, security officers and engineers. By hiding these security flaws from manufacturers like Apple and Google the CIA ensures that it can hack everyone at the expense of leaving everyone hackable.
WikiLeaks warns that as long as the CIA keeps these vulnerabilities concealed from Apple and Google, they will not be fixed and the phones will remain hackable.
Will Strafach aka Chronic isn’t impressed by the leak.
“Nothing interesting or new yet, but still looking,” he wrote on Twitter.
WikiLeaks says the CIA lost control of the majority of its hacking arsenal that targets iOS devices and other platforms, including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.
“This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA,” notes WikiLeaks.
Another excerpt from WikiLeaks:
By the end of 2016, the CIA’s hacking division, which formally falls under the agency’s Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other “weaponized” malware.
Such is the scale of the CIA’s undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its “own NSA” with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.
The CIA even has automated malware attack and control system.
Some of the CIA’s internal tools and techniques have allowed the agency to “penetrate, infest and control” both Android and iPhone software that has run presidential Twitter accounts. Aside from smartphones and tablets, the agency is capable of breaching Samsung’s smart TVs and eavesdrop on conversations without anyone in the room knowing, sending audio recordings over the Internet to a covert CIA server.
The attack, called “Weeping Angel” and created in partnership with UK’s MI5/BTSS, basically places a smart TV in a “Fake-Off” which fools the owner into believing that their TV is off when it is actually on.
Perhaps most worryingly of all, the documents reveal that the CIA has the power to manipulate certain vehicle software in order to cause fatal accidents that the agency likens to “nearly undetectable assassinations.”