Cybercriminals Possess CIA Hacking Tools: What This Means for You

Kannon Yamada 13-03-2017

So you didn’t care about Google, Amazon, Facebook, and Samsung eavesdropping on you. But how do you feel about cyber criminals listening in on your bedroom conversations? WikiLeaks’s Vault 7 file suggests you may soon play host to unexpected visitors.


The Central Intelligence Agency’s most dangerous malware — capable of hacking nearly all wireless consumer electronics — could now sit in the hands of thieves and terrorists. So what does that mean for you?

What’s Vault 7?

Vault 7 is a leaked trove of documents pertaining to the Central Intelligence Agency’s (CIA) cyber warfare capabilities. Much of the software described in Vault 7 reveals how the CIA controls and surveils using smartphones, tablets, smart TVs, and other internet-connected devices. On March 7th, WikiLeaks published a tiny fraction of the documents.

What should terrify everyone: According to WikiLeaks, the CIA lost control of these tools. And now criminals (probably) possess them. However, many of the published exploits (there are many as-of-yet unpublished exploits) are almost five years old and have since been patched.

How Criminals Obtain U.S. Hacking Tools

Not everyone who works for an intelligence agency is a card-carrying member. The CIA regularly outsources employment to federal contractors in the private sector. Many of these private intelligence firms, such as HBGary, lack the CIA’s security.

Edward Snowden Was a Federal Contractor

For example, Booz Allen Hamilton employed NSA contractor Edward Snowden, who famously leaked documents pertaining to the NSA’s illegal surveillance programs. Additionally, Booz Allen Hamilton suffered a 2011 hack.


Cybercriminals Possess CIA Hacking Tools: What This Means for You national security agency
Image Credit: 360b via Shutterstock

In its official statement, WikiLeaks asserted (emphasis mine):

The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

One part of the quote stands out: the tools were circulated in an “unauthorized manner”. The implication should concern everyone in the world. The CIA probably lost control of a $100 billion portfolio of hacking tools.

But this isn’t the first time that private actors acquired dangerous, government-developed software.


The Stuxnet Worm

For example, the Stuxnet worm Microsoft Patches Freak & Stuxnet, Facebook Stops You Feeling Fat [Tech News Digest] Microsoft patches problems, Facebook is no longer Feeling Fat, Uber wants women, iPhone Google Calendar, PlayStation lands in China, and playing Snake in a water fountain. Read More , another weaponized malware, fell into the hands of cyber criminals soon after its 2010 discovery. Since then, Stuxnet occasionally pops up as malware. Part of its ubiquity relates to its codebase. According to Sean McGurk, a cyber security researcher, the source code for Stuxnet is available for download.

You can download the actual source code of Stuxnet now and you can repurpose it and repackage it and then, you know, point it back towards wherever it came from.

That means pretty much any coder can build their own Stuxnet-based malware kit. The CIA’s lack of control over its cyber arsenal ensures that exploits will continue flowing into the hands of for-profit criminals, terrorists, and rogue states. No better example exists than the ShadowBrokers.

The Shadow Brokers

In 2016, the Shadow Brokers group infamously auctioned off a series of state-manufactured hacking tools. How they stole the tools is anyone’s guess, but where they acquired them is known: the NSA.

According to The Intercept, documents inside the Snowden leak connect the tools stolen by the Shadow Brokers with the hacking group known as Equation Group (EG). EG employed exploits that were later found in the state-sponsored Stuxnet worm — which highly suggests a connection between the NSA and EG. Combined with the leaked tools, it appears that the NSA and CIA are unable to control their own technologies.


But does that mean your privacy and security are compromised?

A History of Spying on Customers

Your privacy and security are already compromised.

Almost all modern smart products include microphones. Some devices require pressing a button to turn on the microphone or camera. Others listen continuously for the utterance of a keyword. For example, Samsung’s range of smart TVs Samsung's Latest Smart TVs Are Straight Out Of George Orwell's 1984 A new feature in the latest Samsung smart TVs has put the Korean giant in a bit of hot water. It turns out they've been listening to everything you've been saying... Read More constantly listen, record, and transmit — all without relying on sophisticated government surveillance.

Smart TVs Are Owned

Samsung’s privacy statement regarding their smart TVs is troubling. Although Samsung modified their privacy terms-of-service to avoid controversy, the original statement, captured by Twitter user xor, goes as follows:


Cybercriminals Possess CIA Hacking Tools: What This Means for You twitter xor samsung smart tv

Here’s the relevant quote from Samsung (emphasis mine):

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

In short, smart televisions hear everything you say. And Samsung shares that data with third parties. Those third parties, however, are assumed to be businesses with only a commercial interest in your conversations. And you can always turn the thing off.

Unfortunately, the “Weeping Angel” hack developed by the CIA makes it so the TV can’t turn off. Weeping Angel targets Samsung smart TVs. The Vault 7 documentation refers to this as Fake-Off mode. From WikiLeaks:

…Weeping Angel places the target TV in a “Fake-Off” mode, so that the owner falsely believes the TV is off when it is on. In “Fake-Off” mode the TV operates as a bug, recording conversations in the room and sending them over the internet to a covert CIA server.

Samsung isn’t alone. After all, Facebook, Google, and Amazon (our review of the Echo Amazon Echo Review and Giveaway Amazon’s Echo offers a unique integration between voice recognition, personal assistant, home automation controls, and audio playback features for $179.99. Does the Echo break into new ground or can you do better elsewhere? Read More ) also rely on using the microphones of devices — often without the knowing consent of users. For example, Facebook’s privacy statement claims that they do use the microphone, but only when the user uses “specific” features of the Facebook application.

How Technology Enables Illegal Surveillance

The biggest security flaw on modern smartphones is its software. By exploiting security vulnerabilities in a browser or operating system, an attacker can remotely access all features of a smart device — including its microphone. In fact, that’s how the CIA accesses most of its targets’ smartphones: right over a cellular or Wi-Fi network.

Of the 24 Android exploits developed by the CIA, its contractors, and cooperating foreign agencies, eight can be used to remotely control a smartphone. I assume that once under control, the malware operator would then use a combination of attacks, combining remote access, privilege escalation, and the installation of persistent malware (as opposed to malware that lives in RAM).

The techniques listed above normally rely on the user clicking a link in their email. Once the target navigates to an infected website, the attacker then can take control of the smartphone.

A False Hope: The Hacks Are Old

On a false note of hope: of the hacks revealed in Vault 7, most pertain to older devices. However, the files only include a fraction of the total hacks available to the CIA. More than likely, these hacks are mostly older, obsolete techniques, which the CIA no longer uses. However, that’s a false hope.

Many of the exploits apply broadly to systems-on-a-chip (what’s an SoC? Jargon Buster: The Guide to Understanding Mobile Processors In this guide, we'll cut through the jargon to explain what you need to know about smartphone processors. Read More ) rather than to individual phones.

Cybercriminals Possess CIA Hacking Tools: What This Means for You 2017 03 09 12h46 06
Image Credit: Chronos Exploit via WikiLeaks

For example, in the graphic above, the Chronos exploit (among others) can hack the Adreno chipset. The security flaw encompasses almost all smartphones based on Qualcomm processors. Again, keep in mind that less than 1 percent of Vault 7’s content has been released. There are likely many more devices vulnerable to penetration.

However, Julian Assange offered to help all major corporations patch the security holes revealed by Vault 7. With any luck, Assange might share the archive with the likes of Microsoft, Google, Samsung, and other companies.

What Vault 7 Means for You

The word isn’t in yet on who possesses access to the archive. We don’t even know whether or not the vulnerabilities still exist. However, we do know a few things.

Only 1 Percent of the Archive Has Been Published

While Google announced it fixed most of the security vulnerabilities used by the CIA, less than 1 percent of the Vault 7 files have been released. Because only older exploits were published, it’s likely that almost all devices are vulnerable.

The Exploits Are Targeted

The exploits are mostly targeted. That means that an actor (such as the CIA) must specifically target an individual in order to gain control of a smart device. Nothing in the Vault 7 files suggests that the government is sweeping up, en masse, conversations gleaned from smart devices.

Intelligence Agencies Hoard Vulnerabilities

Intelligence agencies hoard vulnerabilities and do not disclose such security breaches to corporations. Because of shoddy operations security, many of these exploits eventually make their way into the hands of cyber criminals, if they are not already there.

So Can You Do Anything?

The worst aspect of the Vault 7 revelations is that no software provides protection. In the past, privacy advocates (including Snowden) recommended using encrypted messaging platforms, such as Signal, in order to prevent man-in-the-middle attacks What Is a Man-in-the-Middle Attack? Security Jargon Explained If you've heard of "man-in-the-middle" attacks but aren't quite sure what that means, this is the article for you. Read More .

However, Vault 7’s archives suggest that an attacker can log a phone’s keystrokes. Now it seems that no internet-connected device avoids illegal surveillance. Fortunately, it’s possible to modify a phone to prevent its use as a remote bug.

Edward Snowden explains how to physically disable the camera and microphone on board a modern smartphone:

Depending on the model of phone, Snowden’s method requires physically desoldering the microphone array (noise canceling devices use at least two microphones) and unplugging both the front-facing and rear-facing cameras. You then use an external microphone, instead of the integrated mics.

I’d note, though, that unplugging the cameras isn’t necessary. The privacy-minded can simply black out the cameras with tape.

Downloading the Archive

Those interested in learning more can download the entirety of the Vault 7 dump. WikiLeaks intends on releasing the archive in small chunks throughout 2017. I suspect that the subtitle of the Vault 7: Year Zero refers to the enormity of the archive’s size. They have enough content to release a new dump every year.

You can download the complete password protected torrent. The password for the first part of the archive is as follows:

Are YOU concerned about the CIA’s loss of control over their hacking tools? Let us know in the comments.

Image Credit: hasan eroglu via

Related topics: Malware, Surveillance, WikiLeaks.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. A Hunter
    March 14, 2017 at 1:21 pm

    This is exactly the point that Bruce Schneier makes so frequently, which is that anything that the CIA knows about, other people may well know about too. There is no way to stop a 'good guy' from using a vulnerability, or a 'bad guy'. A vulnerability is a vulnerability, so to protecting ourselves can only really be accomplished if developers know about bugs in their software. Unfortunately, the hoarding of these exploits is unlikely to change anytime soon.

  2. Howard A Pearce
    March 13, 2017 at 9:13 pm

    Like so many other articles on this recent leak, there is little to no concentration on what seems very probable that with all these methods and device abilities uncovered, the intelligence agencies of the U.S. have probably been spying of its own citizens as the Snowden release showed too. Put his on top of CLapper's lie to congress that such spying did not exist.

    Instead MUD concentrates mostly on cyber-criminals whom one can only assume does not include the U.S. government itself.

    We can at least thank MUD for not implying that Assange might be morally prosecuted as a criminal for the death penalty

    • Kannon Yamada
      March 14, 2017 at 8:18 am

      That's a good point. The Snowden leak did show illegal domestic surveillance, but nothing in the current leaks dealt with it. But that's important context and it should have at least been mentioned.