After multiple teasers from WikiLeaks, on 7th March 2017 the whistle-blowing website released a set of documents called Vault 7. These were purportedly leaked from inside the Center for Cyber Intelligence unit of the CIA. To accompany the Vault 7 documents, WikiLeaks prepared a press release detailing the background and main discoveries of the leak.
However, in the hours following its release there were a number of sensational headlines that claimed encryption on apps like WhatsApp and Signal had been compromised. This isn’t true, despite the widespread reporting. So what exactly did the Vault 7 leaks tell us, and should we worry?
What Are the Vault 7 Leaks?
The Vault 7 documents are the first in a series of releases from WikiLeaks, dubbed Year Zero, from the CIA’s Center for Cyber Intelligence. In total there are 7,818 web pages with 943 attachments that include documents, images, and other files dating between 2013 and 2016.
Although WikiLeaks didn’t name a source for the leak, in their press release they did state that their source “wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons”.
Unlike in previous releases, WikiLeaks has redacted names and other personally identifiable information before publication. In their statement they also said that they have intentionally withdrawn certain information to prevent “the distribution of ‘armed’ cyberweapons”.
What’s in Vault 7?
The documents in Vault 7 seem to have come from a piece of software called Confluence. Confluence is an internal wiki for corporate settings which typically runs on an Atlassian server.
Atlassian servers are notoriously difficult to secure, which could give an indication as to how this leak may have happened.
Being an internal collaboration tool, the release contains work-in-progress projects, presentations, and technical documentation, alongside the code used to execute many of the exploits. Although there is a significant portion of this that has been held back by WikiLeaks.
Smartphone Hacking With Zero-Day Exploits
Software vulnerabilities are inevitable. They are often discovered by researchers, who report them to the developer. The developer will write and deploy a patch and the vulnerability is closed. However, if an attacker finds the vulnerability before the developer, they can create an exploit, known as a zero-day attack.
Vault 7 shows that the CIA had access to a number of zero-day exploits which they were using in order to compromise both Android and iOS devices. Interestingly, it seems that a lot of effort was put into making sure that the exploits would work specifically on Samsung devices. While many of the Android exploits are older than the iOS ones, it’s not clear if that’s because the exploits were still operational or they had shifted their focus towards iOS. There was clearly a lot of effort put into iOS devices, as User Guide for the DBROOM exploit shows that almost every iPad, iPod, and iPhone model is supported.
The documents show that the CIA was purchasing many exploits from other organisations. As Edward Snowden pointed out on Twitter, this is evidence of the US government paying to keep software unsafe. Of course, this isn’t unusual for intelligence organisations or the cyber criminals who often use these exploits. What is unusual is that in this case, the Government is paying in order to keep their citizens less safe by not disclosing the exploits so they can be patched.
Weeping Angel & Samsung Smart TVs
You may remember that back in 2015, it was reported that Samsung TVs may be spying on you. At the time, this was flatly denied by Samsung, and they said that audio was only collected so they can process your voice requests. It turns out that actually Samsung Smart TVs can spy on you, thanks to the CIA.
The Weeping Angel project, run by the Embedded Development Branch (EDB), created an exploit that could turn your smart TV into a microphone, able to report back all audio to the CIA. According to one document from June 2014, they even had plans to add video capture, live stream audio, and disable auto-upgrades.
The Rain Maker tool allowed the CIA to collect system data and specific files from a computer. The tool could be inserted onto a USB drive (or other removable media) and triggered once a user opened the portable version of VLC Media Player on the drive.
The captured data would be encrypted on the removable media, ready to be decrypted at a later time. This implies that for this exploit to work a CIA agent must be able to get physical access to the media drive. The Rain Maker User Guide says that it would work only on Windows XP, Vista, 7, 8, or 8.1. Although, as the guide is dated March 2015, there is the potential that Rain Maker had been extended to support Windows 10.
Vehicle Control Systems
The internet of Things movement has persuaded many manufacturers that adding an internet connection to their products makes them infinitely better. However, there are some that you would really not want to connect — like your car.
While we have seen passenger vehicles be hacked before at Black Hat USA, this was done as an ethical proof-of-concept. Alarmingly the EDB appears to have also been looking at how to compromise connected vehicles. Although the only information Vault 7 gives us on this is minutes from a meeting in October 2014, it’s a cause for concern that they were potentially looking for zero-day exploits in our cars.
Fingerprinting & Framing Other Governments
Back in 2010, news broke of a computer worm called Stuxnet which had infected and caused damage to Iran’s nuclear program. Many security researchers believe that the worm was built by the American and Israeli governments. This is because each attack will contain a “fingerprint” that may identify a particular state or hacking collective.
Vault 7 contained documents that show the CIA was maintaining a database of known malware, keyloggers, and other spyware and exploits. This was used in order build a collection of fingerprints from different states around the world under the UMBRAGE project. They could then use those fingerprints in order to misdirect attribution of the attack if it were discovered.
This is only a fraction of attacks that are included in Vault 7. There are many more relating to Windows, Linux, and Mac OS. The leak also shows that they were developing exploits for routers, as well as looking to compromise anti-virus software.
While the technical information gives a fascinating, and sometimes worrying, insight into how the CIA attempts to infiltrate other organisations and individuals, there is also a more human side on display. Many of the exploits are named after characters in nerd culture — like Weeping Angels, presumably inspired by the creatures of the Doctor Who universe.
Did the CIA Hack WhatsApp?
In the Vault 7 press release WikiLeaks had stated:
These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.
They then widely shared a tweet emphasising that “the CIA [is able] to bypass encryption”. This led to most media organisations running with the headline that WhatsApp, Telegram, and Signal’s encryption had been compromised.
— WikiLeaks (@wikileaks) March 7, 2017
Unfortunately, these outlets took no time to either dig deeper, or consider WikiLeaks original statement. By looking at the detail it was clear that the encryption in any of these apps had not been compromised. Instead, WikiLeaks had chosen to editorialize. The CIA had used zero-day exploits in order to compromise smartphones running both iOS and Android.
— zeynep tufekci (@zeynep) March 7, 2017
By compromising the device, they would be able to access data that was not encrypted. This approach is not the same as being able to compromise encryption mechanisms.
Can You Trust WikiLeaks?
According to their website “WikiLeaks is a multi-national media…[which] specializes in the analysis and publication of large datasets of censored or otherwise restricted materials.” After being established by the now-infamous Julian Assange, they published their first release in December 2006.
It gained notoriety and worldwide fame after publishing diplomatic cables from the United States government in 2010. Following the release of the cables, the U.S. launched a criminal investigation into WikiLeaks. Around the same time, Assange was accused of sexual assault and rape in Sweden and a request was made to extradite him. In order to prevent his extradition to either Sweden or the U.S., Assange sought asylum from the Ecuadorian Embassy in London, where he has remained since 2012. WikiLeaks has continued to publish leaks in the meantime including the DNC hacks and Podesta emails in the run up to the US Presidential Election in 2016.
The leak of the DNC and Podesta emails has been widely reported as having been the work of Russian intelligence agents and spies. Although that claim has been disputed by Russia and the Trump Administration, the allegation has remained. Julian Assange’s strained history with the U.S. has led many to believe that he acted alongside the Russian government to undermine confidence in the U.S. electoral system, and to help Donald Trump win the Presidency. This is believed by some to have been an act of revenge after former Secretary of State Hillary Clinton allegedly suggested subjecting Assange to a drone strike following an earlier WikiLeaks release.
Ultimately, this has led to skepticism of the latest WikiLeaks publications, as they feel that the organisation can not be trusted to be impartial, particularly in relation to matters of US government.
The fact that "#Vault7" was released is proof it's worth far more as a political talking point than as any kind of technical weapon.
— SwiftOnSecurity (@SwiftOnSecurity) March 7, 2017
The Vault 7 release also differed from past WikiLeaks publications. Although WikiLeaks does tend to offer contextual background and summaries to their releases, the press release for Vault 7 appears to have been editorialized in order to emphasize particular aspects. As we already saw, they were instrumental to the misreporting around encryption both in their press release, and then again on Twitter.
Does it matter what the truth is, when WikiLeaks can write the headlines, and days later no one can find what they were talking about?
— SwiftOnSecurity (@SwiftOnSecurity) March 7, 2017
It seems as though the staff at WikiLeaks took it upon themselves to insert popular encrypted apps into the conversation as initial readings of Vault 7 show no references to any of the apps WikiLeaks listed. Although many outlets later corrected their initial headlines to reflect that the encryption wasn’t broken, the lasting impression of those statements may undermine confidence in encryption.
Another peculiarity in this release was that WikiLeaks independently redacted over 7,000 pieces of information. Although they have faced heavy criticism for not doing so in the past, even from Edward Snowden, this abrupt change is surprising. This is especially strange given that WikiLeaks themselves have said that “every redaction is propaganda.”
@Yami_no_Yami_YY @ggreenwald Readers are not told. Every redaction is propaganda for "information kills", which threatens all sources and us
— WikiLeaks (@wikileaks) November 24, 2013
Initial reports suggest that the documents inside Vault 7 are genuine so the fundamental point that the CIA has been using exploits in popular technology to hack individuals appears to be true. However, the narrative around the release may not be as impartial as WikiLeaks would have you believe.
Should You Be Worried?
The fact that the CIA has the ability to compromise many of the devices we use every day, including our smartphones, computers, laptops, and smart home devices is extremely unsettling. If the Vault 7 information has been passed around between informants for around a year already as has been suggested, then there is a good chance that the exploits in the leak will be in the hands of various criminals and other governments around the world.
While that could be worrying there is some hope to be found. Most of the exploits listed in the Vault 7 leaks are at least over a year old, and there is a potential that they have been patched in subsequent releases. Even if they haven’t, there is a good chance that now this information is public the companies affected will work to patch them immediately.
OH: "Encryption pushed intelligence agencies from undetectable mass surveillance to high-risk, expensive, targeted attacks." <–THE STORY.
— zeynep tufekci (@zeynep) March 7, 2017
Another reason for comfort, despite the severity of the leak, is that for most of the exploits the CIA had devised, there needed to be some form of physical access to the target or their devices. This means that, from what we’ve seen so far, there is no capability for mass surveillance like we saw in Edward Snowden’s NSA leaks. In fact, a large amount of the exploit relies on agents being able to effectively perform social engineering to gain either access or information.
The uncomfortable truth is that we want "our" intelligence agencies to have these capability… but no one else's to… https://t.co/5XfbUF0YZP
— Troy Hunt (@troyhunt) March 8, 2017
The fact that the CIA develops tools to allow them to spy on foreign organisations and persons of interest shouldn’t really be all that surprising. The CIA’s entire purpose is to collect national security information from around the world. Although it breaks with the time-honored tradition of a James Bond-style spy, the Vault 7 leaks show how the intelligence community is shifting into the digital age.
Cause for Concern?
While Vault 7 is only the first in a series of promised releases under Year Zero, it gave us an insight into how the CIA operates now that intelligence gathering has moved digital. Although the breadth of their exploits was quite astonishing, especially the number for iOS and Linux devices, it might not be as shocking as initial claims suggested.
As the tweet from Troy Hunt noted we all expect our Governments to be doing their utmost to protect us and our security from those that want to do harm, but they are often criticized when their efforts are exposed.
Although the chances that you would be targeted by the CIA are relatively slim, now these exploits are public it may be wise to give yourself a security checkup. Make sure you’re not reusing passwords, use a password manager, keep software up to date, and be on the lookout for social engineering attacks.
Perhaps the most worrying part of Vault 7 isn’t even the exploits themselves. That Vault 7, or any of Year Zero, was exposed shows that despite having access to potentially dangerous “cyber weapons”, the CIA was unable to protect these from being leaked for the entire world to see.
What do you make of the latest WikiLeaks release? Is it something to worry about or did you already suspect? What will be in the rest of the Year Zero leaks? Let us know your thoughts in the comments!
Image Credits: Gearstd/Shutterstock