The antigovernment-secrecy organization’s data dump, which contained nearly 9,000 pages of purported internal CIA documents, indicated that the spy agency had gained access to Android and Apple smartphones, Samsung SmartTVs and Internet-enabled cars using a variety of tools. WikiLeaks, which did not identify the source of the information, said Tuesday’s release was just a part of the documents it had obtained, and that it also had the underlying code the CIA used to carry out cyberattacks.
The data did not indicate how many devices had been compromised or name any specific targets of CIA cyberattacks, though dozens of device-specific vulnerabilities and attacks were named in the leak.
While the technology companies whose products were cited in the documents scrambled to identify and patch security holes, experts warned that the leak may do more than compromise government operations — it may open people up to attacks from criminals or other countries aiming to exploit the same vulnerabilities to collect private data.
The Chronicle could not independently verify the authenticity of the documents, though several cybersecurity experts, some with previous government experience, said they appeared legitimate.
Among the more unsettling revelations in the leaked documents was the indication that the CIA had found a way around even the most secure communications apps, which encrypt communications in such a way that no third party can access them.
Signal, developed by San Francisco nonprofit Open Whisper Systems, and WhatsApp, which is owned by Facebook and widely used by refugees, migrants and those traveling abroad, were among several apps whose messages were compromised, according to the data released by WikiLeaks.
CIA hackers found a way to break into smartphones and read — or listen — to messages in real time, before the communication could be encrypted by the apps transmitting them, according to the documents.
Downloads of encrypted messaging apps like Signal have spiked since Donald Trump won the presidency in November. Intelligence experts have attributed the spike to widespread concern among activists, whistle-blowers, journalists and marginalized communities about how Trump might use the nation’s intelligence apparatus to target them.
On Tuesday, many took to social media to fret over the extent to which messaging apps that they believed secure may not be.
But Moxie Marlinspike, founder of Open Whisper Systems, said, if anything, the data show that Signal and apps like it are actually working.
“End-to-end encryption has pushed intelligence agencies from unfettered access to mass surveillance to a world where they have to use expensive, high-risk, targeted attacks against individuals to gain access to their information,” he said. “If you use these kinds of attacks on a massive scale, it increases the risk of detection. So to break into people’s phones and get access to encrypted messages, these agencies now have to be very selective. I think that’s a good thing.”
Because end-to-end encryption means that only the people engaged in a conversation have the keys to unlock the scrambled message they are sharing, outsiders attempting to intercept the communication would be unable to make sense of it without the key.
But according to the leaked documents, the CIA appears to have bypassed this obstacle by hacking the phones used to send messages or make calls. Hackers who gain access to a device’s operating system may be able to record calls and messages in real time, as a person is speaking into their microphone or typing on their keyboard — before the message is actually sent.
“Once you have malware on an operating-system level, you can record keystrokes as they’re being typed,” said Jeremiah Grossman, SentinelOne’s chief of security strategy.
Security experts advised that people continue to encrypt their communication and use apps like Signal and WhatsApp to do so.
“The worst thing that could happen is for users to lose faith in encryption-enabled tools and stop using them,” wrote Cindy Cohn, the executive director of the Electronic Frontier Foundation. “The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices — including Android phones, iPhones and Samsung television — that millions of people around the world rely on.”
Apple, Google and WhatsApp declined to comment on the security risks revealed in the leak. Samsung did not reply to a request for comment.
Hoarding information about vulnerabilities that are unknown to the creator of the technology, or what are known in the intelligence community as “zero days,” leaves those holes open to anyone looking to hack or attack people’s devices.
It was not immediately clear how many zero-day vulnerabilities were revealed Tuesday, though WikiLeaks wrote in a news release accompanying the leak that the data included 24 such vulnerabilities for Android devices alone. The data dump included a comprehensive list of attacks the CIA had used to gain access to Android and Apple devices, including several mentions of malicious software that the government appears to have purchased.
One such vulnerability was used to hack into Samsung’s SmartTV and falsely show it as turned off, which allowed CIA hackers to surreptitiously record audio through the device.
Alex Rice, the chief technology officer of San Francisco cybersecurity firm HackerOne, said the WikiLeaks data disturbed him on a personal level; he has a Samsung TV in his bedroom.
“My Samsung Smart TV faces my bed, and I’m upset that the government was sitting on known vulnerabilities that could have made me and my family a target for criminals,” he wrote in an email to The Chronicle. “Vulnerabilities are difficult to keep secret, and this news shows they don’t remain secret for long. The longer these vulnerabilities stay unpatched, the more threatening they become because they can fall into criminal hands. The CIA put consumers at risk by not reporting these bugs.”
For years, technology companies have asked the government to hand over information on vulnerabilities and zero days it discovers. Under the Obama administration, the White House issued a compromise known as the Vulnerabilities Equities Process, which asked intelligence agencies to disclose as many security vulnerabilities as possible unless there was a demonstrated public interest in keeping some quiet.
Critics have long denounced the agreement for being opaque and difficult to enforce, while still allowing the government unchecked authority to decide when to keep information that may compromise millions of devices to itself.
The CIA cache published by WikiLeaks seems to validate these concerns, experts said, and point to a need for greater information sharing between tech companies and government agencies.
“If there is a vulnerability in the wild and it is not making it into the hands of the vendor so it can be resolved, something is broken,” Rice said. “This ultimately strains tech companies’ relationship with the U.S. government.”
©2017 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.
