13 May 2018

The CIA just lost control of its hacking arsenal. Here’s what you need to know.


WikiLeaks just released internal documentation of the CIA’s massive arsenal of hacking tools and techniques. These 8,761 documents — called “Vault 7” — show how their operatives can remotely monitor and control devices, such as phones, TVs, and cars. And what’s worse, this archive of techniques seems to be out in the open, where all manner of hackers can use it to attack us. “The CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA.” — WikiLeaks


WikiLeaks has chosen not to publish the malicious code itself “until a consensus emerges on… how such ‘weapons’ should be analyzed, disarmed and published.”

But this has laid bare just how many people are aware of these devastating hacking techniques.
“This archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.” — WikiLeaks

Disturbingly, these hacks were bought or stolen from other countries’ intelligence agencies, and instead of closing these vulnerabilities, the government put everyone at risk by intentionally keeping them open.
“[These policy decisions] urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.” — the operative who leaked the data

First, I’m going to break down three takeaways from today’s Vault 7 release that every American citizen should be aware of. Then I’ll give you actionable advice for how you can protect yourself from this illegal overreach by the US government — and from the malicious hackers the government has empowered through its own recklessness.
Takeaway #1: If you drive an internet-connected car, hackers can crash it into a concrete wall and kill you and your family.

I know, this sounds crazy, but it’s real.
“As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks. The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations.” — WikiLeaks

We’ve known for a while that internet-connected cars could be hacked. But we had no idea of the scope of this until today.

Like other software companies, car manufacturers constantly patch vulnerabilities as they discover them. So if you have an internet-connected car, always update to the latest version of its software.

As Wikileaks makes more of these vulnerabilities public, car companies should be able to quickly patch them and release security updates.
Takeaway #2: It doesn’t matter how secure an app is — if the operating system it runs on gets hacked, the app is no longer secure.

Since the CIA (and probably lots of other organizations, now) know how to compromise your iOS and Android devices, they can intercept data before it even reaches the app. This means they can grab your unencrypted input (microphone, keystrokes) before Signal or WhatsApp can encrypt it.

One important way to reduce the impact of these exploits is to open source as much of this software as possible.
“Proprietary software tends to have malicious features. The point is with a proprietary program, when the users don’t have the source code, we can never tell. So you must consider every proprietary program as potential malware.” — Richard Stallman, founder of the GNU Project

You may be thinking — isn’t Android open source? Its core is open source, but Google and handset manufacturers like Samsung are increasingly adding closed-source code on top of this. In doing so, they’re opening themselves up to more ways of getting hacked. When code is closed source, there’s not much the developer community can do to help them.
“There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.” — John Chambers, former CEO of Cisco

By open-sourcing more of the code, the developer community will be able to discover and patch these vulnerabilities much faster.
Takeaway #3: Just because a device looks like it’s turned off doesn’t mean it’s really turned off.

One of the most disturbing exploits involves making Smart TVs look like they’re turned off, but actually leaving their microphones on. People all around the world are literally bugging their own homes with these TVs.

The “fake-off” mode is part of the “Weeping Angel” exploit:
“The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS. After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on. In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.” — Vault 7 documents

The leaked CIA documentation shows how hackers can turn off LEDs to make a device look like it’s off.

You know that light that turns on whenever your webcam is recording? That can be turned off, too. Even the director of the FBI — the same official who recently paid hackers a million dollars to unlock a shooter’s iPhone — is encouraging everyone to cover their webcams.

Just like how you should always treat a gun as though it were loaded, you should always treat a microphone as though it were recording.

What can you do about all this?

It’s not clear how badly all of these devices are compromised. Hopefully Apple, Google, and other companies will quickly patch these vulnerabilities as they are made public.

There will always be new vulnerabilities. No software application will ever be completely secure. We must to continue to be vigilant.

Here’s what you should do:
Don’t despair. You should still do everything you can to protect yourself and your family.
Educate yourself on cybersecurity and cyberwarfare. This is the best book on the topic.
Take a moment to read my guide on how to encrypt your entire life in less than an hour.

Thanks for reading. And a special thanks to Steve Phillips for helping review and fact-check this article.

No comments: