Vault 7: the CIA leak that makes angels weep on WikiLeaks


Last week we saw a massive new leak of US intelligence services data on WikiLeaks. The Vault 7 leak consists of more than 8,000 pages of classified material that describes in detail the methodology and technology used by the CIA to spy on targets.

These files date back to 2014, but go into precise technical detail of how people could be monitored using compromised Internet of Things hardware.

Perhaps unsurprisingly, much of the media has concentrated on the revelation (albeit not exactly breaking news to most inside the IT security industry) that the CIA has been turning both smartphones and ‘smart’ televisions into covert listening devices.

The ‘Weeping Angel’ project, for example, details how the Samsung F8000 model range of televisions were compromised. The methodology was to use what is referred to as a ‘fake-off’ mode to fool the user that the TV was switched off, when in fact it was still on and listening (with the CIA recording) audio through the devices speech commands technology.

The CIA has been turning both smartphones and ‘smart’ televisions into covert listening devices

This is of note not only because of the Dr Who reference in the project name, but also because the leaked documents suggest that Weeping Angel was made possible in collaboration with MI5 in the UK. At least, it states that the project was accomplished during a workshop involving both MI5 and the CIA, so make of that what you will. We here at ITST think it unlikely that such a surveillance technology would be created with the help of MI5 but without MI5 being able to use it as well.

Other not so shocking to the industry, but heart attack producing to the great unwashed, revelations include exploits aimed at getting into both Android and iOS powered devices. While Apple has made a quick huzzah about it already patching “many of the issues” from the Vault 7 leaks and working “rapidly” to patch any vulnerabilities that remain, things are not so tied up over in camp Android.

The fractured nature of the Android ecosystem makes it virtually impossible to patch the majority of devices out there, or anything like the majority truth be told. This is, frankly, yet another reason why people who opt for Android should be buying into devices that come with a proven history of getting timely OS updates and preferably those that benefit from the monthly security update scheme.

The onus of responsibility is on the security community as a whole

Here’s what the broader IT security world has to say on the matter:

“Since it seems that the government deliberately targets smart devices, it is possible their techniques might be exploited by criminals, hackers and also other governments,” says Marty P. Kamden, CMO of NordVPN, “our devices should be made safer, not more vulnerable.”

Craig Young, Security Researcher at Tripwire, says “if the reports are correct that intelligence agencies have developed the capability to deploy hacked firmware to a TV through a USB update process, it is also reasonable to believe that this technique could be extended to subvert the firmware update process over the Internet. Doing this, however, would require control over the network path between TVs and their update servers as well as having trusted security certificates. The security certificates would likely either need to be stolen from the vendor or fraudulently obtained from a trusted certification authority (CA). End-users should recognize that there is always an inherent risk from connected devices having cameras or microphones as long as they are plugged in.”

Meanwhile, Gunter Ollmann, who is CSO at Vectra Networks, reckons that “the public disclosures of zero-days and attack tools for Samsung TVs and webcams will be very popular to all hackers – both criminal and hobbyists. Businesses that employ such technologies within their offices should pre-emptively be taking steps to selectively disable such video and sound capturing capabilities when not specifically needed for business operations. This may entail using electrical tape to cover TV video lens, physically disabling microphones when not in use, etc. Going in to the device administration settings and disabling video and audio functions are highly unlikely to be effective – as any hacks against such devices can easily bypass or present false configuration settings to the admin and user interfaces on the device.”

Eric O’Neill, National Security Strategist at Carbon Black says “the onus of responsibility is on the security community as a whole – and individual vendors such as Carbon Black – to band together in order to mitigate these global threats and lean on device manufacturers to be thinking security first. While this may turn into a highly politicized issue, we are most concerned with the potential ramifications if attack code gets into the wrong hands. There will ALWAYS be new vulnerabilities and new techniques. The key for leading security vendors and the community as a whole is to quickly remediate them globally.”

Organisations will need to adopt a more holistic approach to cyber defence

Tom Lysemose Hansen, founder and CTO at Promon points out that “this is by no means an isolated revelation. We demonstrated back in November that Tesla cars – and by association any other IoT-connected smart car – could be stolen if cybersecurity measures are not up to scratch. The IoT has almost limitless potential to enhance user experiences, but businesses should not blindly allow its continued proliferation if programmes such as Weeping Angel exist.”

Dave Palmer, Director of Technology at Darktrace warns “the traditional approach of trying to stop threats at the border is ill-suited to detect such ‘never-seen-before’ threats. The reality is that you can no longer look at last week’s attack to anticipate that of tomorrow. As this latest hack demonstrates, the boundaries of what was once considered ‘IT’ are expanding and organisations will need to adopt a more holistic approach to cyber defence.”

John Safa, founder of secure messaging platform Pushfor says “it’s not enough to encrypt data in transit. Using the CIA methods, it can be stolen at the device level, before it gets encrypted. Thus making the new security improvements in WhatsApp easy to bypass. So many companies rely on free communications tools such as WhatsApp, which use the public cloud. They are at risk and these free messaging apps should be banned for corporate use. They need to take back control of their own data environments and secure data in a walled garden where they have more control.”

We’ll leave the final word to Mike Ahmadi, global director of critical systems security at Synopsys, who insists “US Government computer systems, policies and procedures are largely outdated in today’s hostile world of connected technologies. The moment anything with either external connectivity or mobility (e.g. a USB memory stick) gets near such systems, the game is over. The software running on legacy government computer systems is so fraught with vulnerabilities that any level of access creates the potential for a security breech. The government needs to take a closer look at their exposure if they hope to defend against what is becoming an embarrassing regular occurrence.”