Vault 7 disclosures: Do they add up?Thursday, March 9, 2017
Wikileaks has apparently done it again, scooping a vast trove of allegedly confidential CIA documents in a leak that has polarised the internet.
Dubbed Vault 7 by Wikileaks, the documents consist of operational details about CIA tactics, as well as considerable information about specific attack servers spread across the globe, and a host of ‘zero day’ attacks against platforms including Apple, Android, Linux and - one that has particularly grabbed the headlines - Samsung TVs.
Wikileaks said: “Such is the scale of the CIA's undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its "own NSA" with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”
This is just the first instalment of leaked documents, called ‘year zero’, consisting of 7,818 web pages with 943 attachments and WikiLeaks promises there is more to follow.
However, many are not entirely convinced that the leak is as genuine, and thus as damaging, as described - Ilia Kolochenko, CEO High-Tech Bridge said: "I am bit surprised that this particular incident attracts so much attention. The CIA, as any other governmental intelligence agency, uses and will continue using various hacking tools and techniques to obtain any information they need to protect the country. This is their duty. So far, we don't have any evidence that these capacities were used unlawfully, for example to violate reasonable expectation of privacy of innocent US citizens or for illicit interference with elections. Also, this could well be a honeypot - to distract someone's attention from the real arsenal of the US cyber warfare. I am pretty confident that US intelligence have much bigger technical resources than the garbage exposed in the leak.”
There is definitely a strong case to be made for the honeypot theory - some of the exploits are clearly gleaned from security industry events, such as one method that discusses how to weaponise a USB stick using BadUSB, the subject of a talk at BlackHat USA in 2014 by Security Research Labs. In fact, although the cache is claimed to be from 2013-2016, many analysts have pointed to it being more likely to be from the 2013-2014 period. This is perhaps unfortunate for us all, as the documents all appear to point to the need to compromise a target’s actual device OS in order to intercept encrypted communications, in other words the CIA could not crack encryption on the fly. However, that may well have changed in the more than two years since these tactics were current.
Google and Apple have both come forward to reassure users that many of the exploits detailed have been patched by recent updates, while others are poring through the documents to ensure user security is not compromised any further. Samsung’s TV’s were the subject of an attack called “Weeping Angel’ said it was investigating urgently. Meanwhile, Linux responded to what appears to be a multi-platform malware attack and control system for Linux: "Linux is a very widely used operating system, with a huge installed base all around the world, so it is not surprising that state agencies from many countries would target Linux along with the many closed source platforms that they have sought to compromise," Nicko van Someren, chief technology officer at Linux Foundation told the BBC.
While the CIA has not confirmed whether the leaks are genuine or not, the BBC reports that a criminal investigation has been started to locate the source.
Of course, there are more questions raised by this leak than answers - where the ‘zero day’ bugs hoarded deliberately in spite of US government policy to responsibly disclose vulnerabilities to the companies involved? Is any of this information still valid? Did Nigel Farage really just visit Julian Assange in the Ecuadorian embassy?
The only thing Vault 7 tells us for sure is that FBI director James Comey’s recent comment to a Boston College conference on cybersecurity is entirely true, albeit no more palatable: “There is no such thing as absolute privacy in America: there is no place outside of judicial reach”.