In what appears to be the largest leak of C.I.A documents in history, WikiLeaks released on Tuesday thousands of pages describing sophisticated software tools and techniques used by the agency to break into smartphones, computers and even Internet-connected televisions.
The documents amount to a detailed, highly technical catalog of tools. They include instructions for compromising a wide range of common computer tools for use in spying: the online calling service Skype; Wi-Fi networks; documents in PDF format; and even commercial antivirus programs of the kind used by millions of people to protect their computers.
A program called Wrecking Crew explains how to crash a targeted computer, and another tells how to steal passwords using the autocomplete function on Internet Explorer. Other programs were called CrunchyLimeSkies, ElderPiggy, AngerQuake and McNugget.
The document dump was the latest coup for the antisecrecy organization and a serious blow to the C.I.A., which uses its hacking abilities to carry out espionage against foreign targets.
The initial release, which WikiLeaks said was only the first installment in a larger collection of secret C.I.A. material, included 7,818 web pages with 943 attachments, many of them partly redacted by WikiLeaks editors to avoid disclosing the actual code for cyberweapons. The entire archive of C.I.A. material consists of several hundred million lines of computer code, the group claimed.
In one revelation that may especially trouble the tech world if confirmed, WikiLeaks said that the C.I.A. and allied intelligence services have managed to compromise both Apple and Android smartphones, allowing their officers to bypass the encryption on popular services such as Signal, WhatsApp and Telegram. According to WikiLeaks, government hackers can penetrate smartphones and collect “audio and message traffic before encryption is applied.”
If you are wondering why you are constantly hearing of some large organization being hacked, one reason is that our state security apparatus refuses to patch holes, because they use them to spy on the rest of us:
Some of the attacks are what are known as “zero days” — exploitation paths hackers can use that vendors are completely unaware of, giving the vendors no time — zero days — to fix their products. WikiLeaks said the documents indicate the CIA has violated commitments made by the Obama administration to disclose serious software vulnerabilities to vendors to improve the security of their products. The administration developed a system called the Vulnerabilities Equities Process to allow various government entities to help determine when it’s better for national security to disclose unpatched vulnerabilities and when it’s better to take advantage of them to hunt targets.
At least some civil liberties advocates agree with the WikiLeaks assessment. “Access Now condemns the stockpiling of vulnerabilities, calls for limits on government hacking and protections for human rights, and urges immediate reforms to the Vulnerabilities Equities Process,” Nathan White, senior legislative manager for digital rights group Access Now, wrote in response to the new leak in a press release.
Iterestingly enough, it appears that the hacking tools were not actually classified:
But Wikileaks also suggests that, because the CIA doesn’t classify its attack tools, it leaves them more vulnerable to theft.
In what is surely one of the most astounding intelligence own goals in living memory, the CIA structured its classification regime such that for the most market valuable part of “Vault 7” — the CIA’s weaponized malware (implants + zero days), Listening Posts (LP), and Command and Control (C2) systems — the agency has little legal recourse.
The CIA made these systems unclassified.
Why the CIA chose to make its cyberarsenal unclassified reveals how concepts developed for military use do not easily crossover to the ‘battlefield’ of cyber ‘war’.
To attack its targets, the CIA usually requires that its implants communicate with their control programs over the internet. If CIA implants, Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. Consequently the CIA has secretly made most of its cyber spying/war code unclassified. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution. This means that cyber ‘arms’ manufactures and computer hackers can freely “pirate” these ‘weapons’ if they are obtained. The CIA has primarily had to rely on obfuscation to protect its malware secrets.
This is why offensive cyber war is something to be avoided, because any weapon you devise becomes immediately available to the enemy to be deployed against you.
If you find a bug, it should get fixed, because if you can use, so can anyone else.