As the dust begins to settle following Tuesday's Wikileaks data dump of the U.S. Central Intelligence Agency hacking methods, the technology sector is scrambling to patch security fixes and warn users to update their software. The 9,000 pages of documents released by Wikileaks, which security professionals believe are legitimate, reveal methods the CIA has developed to circumvent the hardware and software of some of the world's top technology products, including exploiting smartphone operating systems, which allows agents to circumvent encryption apps.
Though it has yet to confirm the authenticity of the leaks, the CIA said, "The American public should be deeply troubled by any Wikileaks disclosure designed to damage the intelligence community's ability to protect America against terrorists and other adversaries." It is unclear who provided Wikileaks with the material, but, according to a Reuters report, U.S. intelligence and law enforcement officials suspect U.S. government contractors likely handed over the information.
Edward Snowden and Harold Thomas Martin were both employed by a government contractor when they leaked sensitive government information.
Tech sector responds
The leaks revealed a number of ways the CIA can exploit so-called zero-day vulnerabilities in hardware and software without informing the companies of the bugs.
Google Director of Information Security and Privacy Heather Adkins said, "We're confident that security updates and protections both in Chrome and Android already shield users from many of these alleged vulnerabilities ... Our analysis is ongoing, and we will implement any further necessary protections."
In an emailed statement to Agence France Presse, Apple said, "While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities." Microsoft and Samsung also said they were "looking into" the revelations.
There has also been a misunderstanding about whether the CIA could break the encryption of apps like Signal, Telegram, and WhatsApp. The New York Times originally reported that it could, but security professionals and Signal have responded that the documents prove encryption works. By taking control of a phone's operating system, an adversary can control all the apps on the phone, like a user, but that doesn't mean the encryption itself was compromised.
Open Whisper Systems, which produces the encrypted app Signal, tweeted, "None of the exploits are in Signal or break Signal protocol encryption."
Ubiquitous e2e encryption is pushing intelligence agencies from undetectable mass surveillance to expensive, high-risk, targeted attacks.
— Open Whisper Systems (@whispersystems) March 7, 2017
In a blog post, Columbian University's Steve Bellovin wrote, "The existence of these hacking tools is a testimonial to the strength of encryption."
Speaking in Boston yesterday, however, FBI Director James Comey said, "There is no such things as absolute privacy in America." In response to the leaks, Comey continued: "All of us have a reasonable expectation of privacy in our homes, in our cars, and in our devices. But it also means with good reason, in court, government, through law enforcement, can invade our private spaces."
California Congressman Ted Lieu concluded differently. "It is very disturbing to anyone who cares about privacy," he told The Guardian. "It should also put to rest any argument about encryption backdoors. You can't just give encryption keys to the good guys and hope they don't get to the bad guys. Our best protection is to have no security defects in the products we use."
Center for Democracy & Technology's Joseph Lorenzo Hall said the CIA documents reveal the U.S. government did not live up to a pledge it gave last year to technology companies that it would share vulnerabilities with them.
Though, in a blog post, security professional Bruce Schneier argued, "there is absolutely nothing illegal in the contents of any of this stuff. It's exactly what you'd expect the CIA to be doing in cyberspace."
On Thursday morning, Wikileaks' Julian Assange said the organization has decided to share the details with the tech sector.
BREAKING: Julian Assange: WikiLeaks has decided to give details of CIA hacking tools to tech companies .
— The Associated Press (@AP) March 9, 2017
Others, however, believe it should be the U.S. government, and not Wikileaks, that shares such data with tech companies.
Disclosure of #Vault7 0days should come from USG, not Wikileaks. WH should convene emergency VEP & CIA should disclose ASAP to vendors
— Jason Healey (@Jason_Healey) March 9, 2017
Threats to the enterprise?
The documents also reveal the nature of the CIA's hacking tools. Unlike the Snowden revelations about the National Security Agency's surveillance tools which can surveil data subjects en masse, the CIA tools are selective and choose high-value targets.
In a column for The Wall Street Journal, Christopher Mims writes that the disclosure "should be a wake-up call to essential personnel in governments, corporations, nonprofits, and media outlets: If you find yourself in the crosshairs of a hacker, your digital life could get owned like never before." He says the ability for adversaries to compromise our devices at deep levels means enterprises should be concerned, especially with the fact that many employees use their own devices for work and personal purposes.
He notes that our phones "are the nexus of our lives" and the lines between our work and personal devices is blurry. "The same devices that have access to our corporate networks are also where we browse the internet and let our children play games. As soon as they are breached through personal use, they become vectors into our professional lives." he warns.
Mims' column also also backs up a Privacy Perspectives post from earlier this week that pointed out trends in the rise of enterprise communications vendors - a category of privacy tech solutions the IAPP has identified in its Privacy Tech Vendor Report.
Photo credit: Official U.S. Navy Imagery USS Barry conducts a practice pipe-patching drills during MultiSail 17. via photopin (license)
If you want to comment on this post, you need to login.