Yes Wikileaks released a very large chunk of CIA information dubbed Vault7 that explains some of the hacking capabilities of the US intelligence service vis-a-vis consumer electronics. Obviously this "isn't good" from a privacy perspective because if the US intelligence community has these capabilities, other nation-states may also have them.
After going through some of the information, I want to dispel some of the FUD (Fear Uncertainty and Doubt).
Are Whatsapp or Signal hacked?
Signal and Whatsapp encryption was not broken.
The CIA would compromise the smartphone (iphone or Android) and then would install malware that would record audio, text or video before the Whatsapp/Signal encryption.
The Wikileaks statement reads like this:
So the short answer is no, these messaging apps were not compromised and their security is still good. Every security researcher know you must must must secure the endpoint because it is normally the weakest link in the chain. Here is proof.
Is the CIA hoarding 0 zero vulnerabilities?
We don't know what the CIA is really doing but based on the Vault7 Wikileak, I would say no. Very few 0 day attacks seem to be mentioned in the dump and any that were are being actively used. Nothing in the leak seems to indicate a hoarding of 0 zero vulnerabilities for emergency use.
The attacks mentioned in the leaks may be worrisome to John or Jane Doe but they are nothing new for anyone working in security. They seem to be leveraging "stuff" we already know about the Information Security circles. Yes they sometimes buy advanced attacks from brokers or researchers but most of what I read, I expected them to have.
Nothing I read would indicate that the CIA digital attack toolkit is better than that of the NSA. It is safe to assume the NSA has much stealthier and more powerful tools.
Do I break my Smart TV?
Don't throw away your Smart TV just yet. We learned that the CIA can hack your Smart TV and turn it into an espionage tool by running hacking software via USB port on the TV. Let me say that again, via USB port.
Nothing in the document indicates that they can do this remotely via the internet. In security, we always assume that it is impossible to protect an asset if a bad actor can gain physical access to it. Nothing new here.
There are 2 pieces of malware in the wild that were thought to have come from China and Russia but can now likely be attributed to the CIA. These leaks provide enough information for security companies to now make educated assumptions about malware sources they know about and are trying to identify the source of.
A colleagues working for a US security company said that they can now attribute 2 malware to the CIA previously thought to have come from China or Russia. He said his company will now use the info in these leaks to built signatures to detect and remediate some of the vulnerabilities mentioned here.
Does this hurt the CIA. I would say no. There are enough vulnerability brokers in the dark market and the CIA has enough money to quickly rebuild a new toolkit.
Are these advanced hacking techniques?
No. They may seem advanced for the average Joe but there wasn't anything monumental or earth shattering for a security researcher. Funny enough, I've been chatting with one of my employees about a new tool from Hak5 called Bash Bunny. The Bash Bunny seems to be more advanced than many of the techniques revealed in this document.
Is my tech safe?
The BBC published a good article documenting the reaction from major consumer tech manufacturers.
As expected, Apple provided a lengthy response and committed to working with its security team to plug as many of the holes as quickly as possible.
Samsung provided this response
Notably absent (at least while I write this) is a response from Google about the vulnerabilities in Android that were actively exploited. As we know, not all Android phones receive timely updates and even those that do have some worrisome vulnerabilities.
For the general consumer that is not being targeted by a nation-state intelligence agency, as long as you adhere to good security practices, an a Google branded Android phone will be just as safe as an Apple iPhone. I cannot recommend buying an Android phone from any other manufacturer as updates may be slow or non-existent.
If you are in a job were security is critical, i would still contend that the iPhone is likely more secure because of the way Apple locks everything down.
I won't lose any sleep over the CIA leak. Yes it confirms that the US intelligence apparatus is actively targeting consumer hardware but we all assumed they were doing this anyway. Nothing in this leak revealed anything new and I would assume the NSA Signals Intelligence team is still the king of the hill. Sure the CIA seems to have a couple pocket knives but the NSA still has that 10" Rambo knife strapped to its belt.
Also assume anything the US is doing can be easily replicated by other nation state actors. Do you really want foreign governments to have these abilities and your own (Canada, US, UK, Australia, etc) not to?