Insights For Success

Strategy, Innovation, Leadership and Security

What the CIA Vault7 Wikileak really means for consumers

GeneralEdward Kiledjian1 Comment
Wikileaks Unveils ‘Vault 7’: “The Largest Ever Publication Of Confidential CIA Documents”; Another Snowden Emerges
— Zerohedge
It includes software that could allow people to take control of the most popular consumer electronics products used today, claimed WikiLeaks.
— independent.co.uk
Surprise, everyone, the US Central Intelligence Agency (CIA) allegedly has the means to hack everyday electronics.
— techradar.com

Yes Wikileaks released a very large chunk of CIA information dubbed Vault7 that explains some of the hacking capabilities of the US intelligence service vis-a-vis consumer electronics. Obviously this "isn't good" from a privacy perspective because if the US intelligence community has these capabilities, other nation-states may also have them. 

After going through some of the information, I want to dispel some of the FUD (Fear Uncertainty and Doubt).

Are Whatsapp or Signal hacked?

I have written about Whatsapp security and professed my love for Signal . Many readers messaged me in a panic asking if these apps had "weak" security and had been breached by the CIA. 

Signal and Whatsapp encryption was not broken. 

The CIA would compromise the smartphone (iphone or Android) and then would install malware that would record audio, text or video before the Whatsapp/Signal encryption. 

The Wikileaks statement reads like this:

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied.
— Wikileaks

So the short answer is no, these messaging apps were not compromised and their security is still good. Every security researcher know you must must must secure the endpoint because it is normally the weakest link in the chain. Here is proof. 

The security of Signal protocol was recently reviewed during a security audit and it passed with glowing colors. The EFF also rates Signal as an "all green" messaging app. 

Is the CIA hoarding 0 zero vulnerabilities?

We don't know what the CIA is really doing but based on the Vault7 Wikileak, I would say no. Very few 0 day attacks seem to be mentioned in the dump and any that were are being actively used. Nothing in the leak seems to indicate a hoarding of 0 zero vulnerabilities for emergency use.

The attacks mentioned in the leaks may be worrisome to John or Jane Doe but they are nothing new for anyone working in security. They seem to be leveraging "stuff" we already know about the Information Security circles. Yes they sometimes buy advanced attacks from brokers or researchers but most of what I read, I expected them to have.

Nothing I read would indicate that the CIA digital attack toolkit is better than that of the NSA. It is safe to assume the NSA has much stealthier and more powerful tools.

Do I break my Smart TV?

Don't throw away your Smart TV just yet. We learned that the CIA can hack your Smart TV and turn it into an espionage tool by running hacking software via USB port on the TV. Let me say that again, via USB port

Nothing in the document indicates that they can do this remotely via the internet. In security, we always assume that it is impossible to protect an asset if a bad actor can gain physical access to it. Nothing new here. 

Attribution

There are 2 pieces of malware in the wild that were thought to have come from China and Russia but can now likely be attributed to the CIA. These leaks provide enough information for security companies to now make educated assumptions about malware sources they know about and are trying to identify the source of. 

A colleagues working for a US security company said that they can now attribute 2 malware to the CIA previously thought to have come from China or Russia. He said his company will now use the info in these leaks to built signatures to detect and remediate some of the vulnerabilities mentioned here. 

Does this hurt the CIA. I would say no. There are enough vulnerability brokers in the dark market and the CIA has enough money to quickly rebuild a new toolkit.

Are these advanced hacking techniques?

No. They may seem advanced for the average Joe but there wasn't anything monumental or earth shattering for a security researcher. Funny enough, I've been chatting with one of my employees about a new tool from Hak5 called Bash Bunny. The Bash Bunny seems to be more advanced than many of the techniques revealed in this document. 

Is my tech safe?

The BBC published a good article documenting the reaction from major consumer tech manufacturers. 

As expected, Apple provided a lengthy response and committed to working with its security team to plug as many of the holes as quickly as possible.

While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities
— Apple PR

Samsung provided this response

We are aware of the report in question and are urgently looking into the matter.
— Samsung PR
We are aware of the report and are looking into it
— Microsoft PR

Notably absent (at least while I write this) is a response from Google about the vulnerabilities in Android that were actively exploited. As we know, not all Android phones receive timely updates and even those that do have some worrisome vulnerabilities. 

For the general consumer that is not being targeted by a nation-state intelligence agency, as long as you adhere to good security practices, an a Google branded Android phone will be just as safe as an Apple iPhone. I cannot recommend buying an Android phone from any other manufacturer as updates may be slow or non-existent. 

If you are in a job were security is critical, i would still contend that the iPhone is likely more secure because of the way Apple locks everything down.

Conclusion

I won't lose any sleep over the CIA leak. Yes it confirms that the US intelligence apparatus is actively targeting consumer hardware but we all assumed they were doing this anyway. Nothing in this leak revealed anything new and I would assume the NSA Signals Intelligence team is still the king of the hill. Sure the CIA seems to have a couple pocket knives but the NSA still has that 10" Rambo knife strapped to its belt.

 Also assume anything the US is doing can be easily replicated by other nation state actors. Do you really want foreign governments to have these abilities and your own (Canada, US, UK, Australia, etc) not to?