WikiLeaks published a large cache of documents stolen from the CIA related to hacking tools on Tuesday. The Wall Street Journal has confirmed their authenticity with an intelligence source.
The files seem explosive at first glance. Internal CIA files are rarely seen, and WikiLeaks has used them to claim that the agency has “lost control of the majority of its hacking arsenal.”
But some of the claims that WikiLeaks presented along with the documents have been criticised by security researchers as being exaggerated or overblown. WikiLeaks has claimed that secure messaging apps have been broken, and that the CIA can hack into iPhones, which have widely been seen as a more secure choice than Android.
Although the documents themselves are a rare and fascinating look into the CIA, there isn’t much in there that should worry everyday people for now, security researchers and professionals told Business Insider.
Here’s what you need to know as an iPhone or iPad user about the WikiLeaks’ “Vault 7” dump.
Apps like Signal and WhatsApp are commonly cited as secure messaging apps, meaning that the government, companies, or hackers can’t intercept messages in transit and read them.
That’s what security professionals call ‘end-to-end encryption.’
So, if the CIA was able to break into Signal, as several outlets and commentators have claimed, that would be a big deal. Even WikiLeaks is phrasing its claims to make it sound like this is the case.
The good news is that there is no evidence in the WikiLeaks dump that suggests the math that keeps messages secure — called ‘crypto’ — behind either WhatsApp or Signal has been broken, as suggested by WikiLeaks.
Instead, the claim is more fundamental. If the CIA were able to hack into an end user’s iPhone or Android device, then Signal’s crypto wouldn’t matter. The CIA would be able to read what users are seeing and sending before it was encrypted by the software.
If your computer or operating system, like iOS, is already compromised, then it doesn’t matter how secure your messaging system is.
Basically, “CIA has some expensive, targeted ways to hack phones, and if your phone is hacked, well, your apps won’t save you,” Zeynep Tufekci, New York Times contributor and associate professor at the University of North Carolina School of Information and Library Science, told Business Insider.
“If someone is specifically targeted and their phone is running an older version and thus vulnerable to exploitation, no ‘secure’ apps can protect you because the OS itself is compromised,” Will Strafach, CEO of Sudo Security Group and a security professional with extensive experience with iOS exploits told Business Insider.
Signal’s underlying technology remains secure.
“End-to-end encryption has pushed intelligence agencies away from undetected and unfettered mass surveillance to where they have to use high-risk and targeted attacks,” Signal creator Moxie Marlinspike told New York magazine.
“WikiLeaks has an interest in getting big hype for their leaks obviously, so it blurs what is and is not a concern,” Strafach said.
Although WikiLeaks claims the CIA has exploits that can work on iPhones, the actual tools and code needed to implement those hacks was not included in the document release, according to Strafach and other security experts.
The documents do refer to iOS exploits — commonly called “zero days”, or bugs that have not been publicly found before — but they tend to be threads and hints leading to a working exploit, instead of what’s needed to verify the CIA’s capabilities. And many of the exploits in the leaked files have already been found and squashed.
Apple declined to comment on the WikiLeaks files.
What WikiLeaks is claiming the CIA can do is scary: Basically, using expensive undiscovered bugs, it could take over a target’s phone if it gets them to click on a link or another attack vector.
Using exploits, hackers can “make a phone appear to be off when it’s really on, and enable your microphone, and be able to listen to conversations you’re having with other people,” exploit vendor and famous hacker Kevin Mitnick told Business Insider last month.
Strafach said that after perusing the WikiLeaks files, “If you are an average iOS user and you are worried about a malicious party downloading this leak and using information form it to hack your iOS device, you can rest easy.”
“This is not possible from what has currently been released,” he said.
Strafach said that much of the files seem to show tools that do “not appear to be incredibly ‘production-ready’ and are experimental in nature”. Many of the files released look like the work of a small team working on experimentation and R&D, and resemble how iPhone jailbreakers and small security companies put together research and internal wiki websites, he said.
“I can’t rule out that there is not a single live vulnerability at all mentioned, but I at least have been able to ascertain that this leak does not have anything which can pose a threat to an everyday user,” he said.
WikiLeaks said that it removed code and other parts of its leaked data that could be used by hackers. But it has said that Tuesday’s dump is only the first of many — it’s possible that WikiLeaks is planning to publish exploit code in the future.
But that might end up being a good thing for iPhone and iPad users, because when an exploit becomes public, it gets patched by Apple and other big tech companies. Once it’s patched, hackers and organisations like the CIA can’t use them anymore.
Apple pays up to $US500,000 for a working iOS exploit. Mitnick said the going rate for an iOS exploit can range up to $US1,500,000.
If there are any exploits revealed by the WikiLeaks CIA files, it’s possible that it just made millions of dollars of software useless. The CIA “have to use these (attacks) very carefully,” Marlinspike said to New York Magazine. “Every time they use one, there’s a chance it will be detected, which costs millions of dollars to them.”
For maximum security, you should update to the latest version of iOS on your iPhone or iPad in Settings > General > Software Update.