When WikiLeaks yesterday released a trove of documents purporting to show how the CIA hacks everything from smartphones to PCs to smart televisions, the agency's already shadowy reputation gained a new dimension. But if you're an average American, rather than Edward Snowden or an ISIS jihadi, the real danger clarified by that leak wasn't that someone in Langley is watching you through your hotel room's TV. It's the rest of the hacker world that the CIA has inadvertently empowered.
As security researchers and policy analysts dig through the latest WikiLeaks documents, the sheer number of hacking tools the CIA has apparently hoarded for exploiting zero-day vulnerabilities---secret inroads that tech firms haven't patched---stands out most. If the US intelligence community knows about them, that leaves open the possibility that criminal and foreign state hackers do as well.
Its broad zero-day stash, then, strongly suggests that the CIA---along with other intelligence agencies---has long allowed Americans to remain vulnerable to those same attacks. Now that those hacking secrets are public, potentially along with enough details to replicate them, the danger of the feds leaving major security flaws unfixed only escalates.
"If the CIA can use it, so can the Russians, or the Chinese or organized crime," says Kevin Bankston, the director of the New America Foundation's Open Technology Institute. "The lesson here, first off, is that stockpiling a bunch of vulnerabilities is bad for cybersecurity. And two, it means they’re likely going to get leaked by someone."
It's no surprise, of course, that one of America's most well-resourced spy agencies can hack its foreign adversaries. The shock, says Johns Hopkins cryptographer Matt Green, comes instead from the sudden spill of those hacking tools onto the web. "In the same way the military would probably have one technique for killing every single tank in an enemy’s arsenal, you would expect the CIA to collect the same thing," says Green. "What’s different is that we’re seeing them out in public."
In fact, WikiLeaks wrote in a note accompanying its Tuesday release that "the archive appears to have been circulated among former US government hackers and contractors in an unauthorized manner." That raises the possibility the full document set, along with actual exploit details or code, may have fallen into the hands of hackers long before it was published in part by WikiLeaks.
The WikiLeaks CIA cache, which the group calls Vault 7, most explicitly details the agency's hacking capabilities for smartphones. It lists more than a dozen exploits that affect iOS, and two dozen that threaten Android phones with varying degrees of penetration. The CIA appears to have gleaned some of those exploits from public research, and most are likely no longer zero days, given that the documents date back to as early as 2013 and only as late as the beginning of 2016. "Our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS," an Apple spokesperson writes. Google has yet to respond to WIRED's request for comment.
But during those years, at least, the CIA appears to have kept the security flaws those techniques exploited secret. And the sheer number of those exploits suggests violations of the Vulnerabilities Equities Process, which the Obama administration created in 2010 to compel law enforcement and intelligence agencies to help fix those flaws, rather than exploit them whenever possible.
"Did CIA submit these exploits to the Vulnerabilities Equities Process?" asks Jason Healey, a director at the Atlantic Council who's tracked the VEP closely. "If not, you can say that either the process is out of control or they’re subverting the president's priorities."
The man most closely responsible for that vulnerability disclosure policy argues that the second of those two possibilities, at least, isn't the case. Former White House cybersecurity coordinator Michael Daniel, who led cybersecurity policy for the Obama presidency and oversaw a revamp of the VEP in 2014, says that "all of the agencies that were participating in the VEP were doing so in good faith." Daniels declined to comment specifically on the WikiLeaks release or the CIA's exploit collection, but said that even now he doesn't believe anyone was hiding hacking capabilities from the White House. "I felt like everyone was engaged in the process in the right way," he says.
But that hardly means the CIA reported their exploits to Apple and Google to help secure their software, Daniel admits. While he argues that in some cases the CIA's exploits may have targeted users who simply didn't update their software with available patches, he says that other times the White House may have prioritized the CIA's hacking capability over securing software used by millions.
"The default position is that the government will disclose, but that doesn’t mean that will happen on every occasion," says Daniel. "The point of having a process is that there are times when the benefit to intelligence and law enforcement to exploit that flaw outweighs the risk of retaining that flaw inside the government. We were clear there were times when we did choose not to disclose a vulnerability to a vendor."
Balancing the needs of a critical intelligence agency with the digital security of the rest of the world isn't easy. But the US intelligence community's hacking techniques leaking---not once, but at least twice now after hackers known as the Shadow Brokers breached an NSA server and published reams of NSA code last August---means that the balance needs to be reconsidered, says New American Foundation's Bankston. "All of these vulnerabilities were in iPhones and Android phones that hundreds of millions of people used if not billions," he says. "That has serious cybersecurity implications."
It's still unclear whether the Trump administration will continue the previous White House's Vulnerabilities Equities Process, or how it will address the question of government hacking versus civilian security. But the Atlantic Council's Healey argues that the CIA leak shows that the question needs a harder look than ever.
"The deal we make in a democracy is that we understand we need military and intelligence services. But we want want oversight in the executive branch and across the three branches of government," he says. "If the CIA says 'we’re suppose to do this, but we’re just not going to,' or 'we’re going to do it just enough that the White House thinks we are,' that starts to eat away at the fundamental oversight for which we have elected officials."
