WikiLeaks’ latest data dump, the “Vault 7,” purporting to reveal the Central Intelligence Agency’s hacking tools, appears to be something of a dud. If you didn’t know before that spy agencies could apply these tools and techniques, you’re naive, and if you think it undermines the attribution of hacker attacks on the Democratic National Committee and other targets, you’ll be disappointed.
On the surface, the dump – touted by WikiLeaks as the biggest ever publication of confidential CIA documents – offers some explosive revelations. They’re all over the news pages:
▪ The CIA is able to use your Samsung smart TV to eavesdrop on you!
▪ The CIA can get into your iPhone or Android device, as well as your Windows, Mac or Linux PC, and harvest your communications before they are encrypted!
Sign Up and Save
Get six months of free digital access to The Fresno Bee
▪ No encryption app – not even the Edward Snowden favorite, Signal, or WhatsApp, which uses the same encryption – is safe!
▪ The CIA hoards “zero day” vulnerabilities – weaknesses not known to the software’s vendors – instead of revealing them to the likes of Google, Apple and Microsoft!
▪ CIA hackers use obfuscation tools to pretend its malware was made by someone else, including Russian intelligence! There’s even a BuzzFeed story quoting current and former U.S. intelligence officers that the dump is “worse than Snowden’s.”
There is little content in the dump to support these panicky reactions. Nothing in it indicates that the CIA has broken messenger encryption, as Open Whisper Systems, the software organization responsible for Signal, has been quick to point out.
The CIA can read messenger communications only if it plants malware on a specific phone or computer; then it can harvest keystrokes and take screenshots. This is not about mass surveillance – something that should bother the vast majority of internet users – but about monitoring specific targets.
Open Whisper Systems tweeted on March 7: “Ubiquitous e2e encryption is pushing intelligence agencies from undetectable mass surveillance to expensive, high-risk, targeted attacks.”
It’s not much of a secret that using a hacked phone or computer renders end-to-end encryption useless. It was the essence of Apple’s dispute with the Federal Bureau of Investigation last year, when the company wouldn’t help the FBI get into a phone owned by San Bernardino shooter Syed Rizwan Farook.
The Big Brother-style implications of a hacked Samsung TV are undermined by the nature of the documents that describe the hack. The CIA needs physical access to the TV set to weaponize it. Robert Graham, founder of Errata Security, wrote on the firm’s blog:
“The docs are clear that they can update the software running on the TV using a USB drive. There’s no evidence of them doing so remotely over the Internet. If you aren’t afraid of the CIA breaking in and installing a listening device, then you should’t be afraid of the CIA installing listening software.”
The obfuscation story is similarly unimpressive. The WikiLeaks cache contains a manual for CIA hackers on making their malware harder to trace, for example, by adding foreign languages. WikiLeaks also said that the CIA “collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.”
The library, however, contains all sorts of publicly available malware, as well as samples tentatively attributed to foreign intelligence services; all that does is confirm that hackers, including CIA ones, aren’t picky about the origins of the products they use. The important thing is that the malware should work.
This shouldn’t affect serious attempts to attribute hacker attacks. I’m not sure this is fully understood within the U.S. intelligence community itself – at any rate, the declassified report on Russian hacking it released late last year appeared to base attribution on the use of specific publicly available malware.
But industry experts usually need much more evidence. A number of possible Russian attacks were attributed to Moscow’s intelligence services because the attackers used specific command and control centers – servers –to collect information from various Russian adversaries. To set up a false flag operation, the CIA would need to go much further than obfuscating the origins of its malicious code.
So all the jubilant tweets from Trump supporters declaring the CIA was behind the “Russian hacks” are at least premature and probably inaccurate. To suspect a false flag operation on this scale is to believe in a conspiracy theory not backed by any publicly available evidence. (That said, the attribution of the attacks to the Kremlin isn’t definitive, either.)
To Snowden, the biggest story about “Vault 7” is that U.S. intelligence services have purchased software vulnerabilities so it could use them to spy on people, when, in the interests of public safety, it should have turned over the information to the makers of the software. Otherwise – and WikiLeaks makes a big deal of it – anyone can use the vulnerabilities, from foreign intelligence to teenage hackers.
Indeed, the cache clearly indicates that “zero days” are purchased by intelligence agencies and shared among the CIA, the National Security Agency and the U.K.’s GCHQ. And it is a major risk not to tell the software vendors about them.
Yet it’s naive to expect spies to act in any other way. The agencies won’t buy vulnerabilities to turn them over to Google, Apple or Cisco – the companies themselves are supposed to do this if they’re interested in the security of their products. The spies need the vulnerabilities to do their own work.
None of this is to say that “Vault 7” isn’t damaging to the CIA. It reveals a somewhat lower level of technological sophistication than can be expected from a U.S. intelligence agency – unlike Snowden’s NSA cache. It gives foreign intelligence services an insight into the specific methods used by the CIA and probably sets off a distracting, morale-destroying hunt for the leaker. It puts the CIA on the defensive, makes it look weak and thus helps President Donald Trump in his public battle with the intelligence community. Since the CIA documents appear genuine, it’ll only strengthen a sense that Russia – and perhaps other foreign powers – have penetrated the U.S. intelligence community and disarmed its cyber operations.
Revealing more evidence of Russian interference in the 2016 election campaign would probably help the intelligence agencies to redeem themselves. It’s time for them to go beyond innuendo and anonymous leaks – they can’t beat Julian Assange at that game.
Leonid Bershidsky is a Bloomberg View columnist. He was the founding editor of the Russian business daily Vedomosti and founded the opinion website Slon.ru.