Have you heard about Vault 7? If not, you might want to pay attention.
What is it?
If you’ve been ignoring the news lately, you might have missed the news about Vault 7. It’s the latest in an extensive series of leaks from Wikileaks, and it looks like it might be a long-running one.
According to Wikileaks, it’s the largest publication of confidential documents on the CIA, and the whistleblowing organisation has promised a series of leaks from Vault 7 to come.
The first leak is called “Year Zero”, and it claims to be a list of vulnerabilities and flaws the CIA is exploiting to compromise a range of devices from smart TVs to iPhones and Android phones with malware, trojans and other things you don’t want hanging around. There are 8,761 documents and files that are said to be from a high-security network in the CIA’s Center for Cyber Intelligence, and it all makes for uncomfortable reading.
For example, the documents detail a way to put a smart TV into a fake “off mode”, but still have it record audio surreptitiously. Other divisions were said to be involved in developing malware that would instruct phones to send the CIA the user’s location, audio and text communications, activate the phone’s camera and microphone, and generally act as a bug.
There were also exploits, or software tools, for Microsoft, Linux and Apple's desktop operating system, some of which were designed to spread via infected devices to work their way on to "air gapped" devices.
Is it genuine?
The general thinking is that it is. Edward Snowden tweeted that it looked like genuine information to him, due to the use of certain programme and office names that only a "cleared insider" could know.
Should we be concerned?
If you take it at face value it looks pretty scary. WhatsApp, Signal and messaging services that claim to be end-to-end encrypted have been getting a lot of love lately because they will keep your messages private and can only be accessed by the intended recipient.
WhatsApp, for example, can’t have a look at messages you are sending to your work colleagues because the encryption prevents that. Ditto for Signal, which doesn’t even keep records of who you are messaging. That’s given us a sense of security about our messages.
The noise around Vault 7 initially made it look as if that was all in jeopardy, with reports that the intelligence agency had managed to bypass WhatsApp, Signal, Telegram and Confide. Cue mass panic about what the CIA might be able to poke around in without you realising.
However, closer analysis of the documents tell a slightly less alarmist tale.
What’s the confusion then?
When the story was initially reported, it was (wrongly) perceived that the CIA had found a way to hack into encrypted messages. If it has, it certainly isn’t contained in this particular document.
What it does have to hand, however, are ways to seize control over your whole device. So the CIA could insert some malware into your phone without your knowledge, and then use that to have good nosy around what’s on it. Agents don’t need to break the encryption on your WhatsApp messages when they can see exactly what is going on in your phone at any time.
Basically, the encryption is intact; it’s the device itself that is the problem.
And there’s something else to consider. Security experts examining the list of the CIA’s tools say that many of the exploits mentioned were common knowledge. The CIA is using the same tools that regular hackers are using – known weaknesses in software.
What are the companies saying?
Open Whisper Systems has been very clear that the Vault 7 leak deals with getting malware on to phones, rather than breaking the encryption on Signal.
Meanwhile, Apple said many of the vulnerabilities mentioned in Vault 7 have already been addressed, and it's working quickly to sort the rest.
It’s not clear what vulnerabilities are still a risk. A good portion of devices – about 80 per cent – are on the latest version of the operating system, although there are some that are no longer compatible with new versions of iOS that will be stuck with older software.
According to Google, the exploits and vulnerabilities listed in the CIA documents are already out of date, and have been patched in more recent versions of Android.
That’s reassuring, but things become slightly more complicated for Android users because there are so many different versions of the software out there, including older devices running Android 4 up to Kitkat. Android users rely on manufacturers to push software updates out as they become available for the individual devices. And there are still plenty using old software.
Microsoft and Samsung say they are looking into it, but the smart TV vulnerability was something that Samsung had warned about a few years ago, so it's hardly news.
So – again – should we be worried?
Well, yes. The vulnerabilities may be either patched or in the process of being patched, but there will be more. There’s also the danger that comes from intelligence agencies finding these weaknesses and not alerting the companies, meaning anybody who finds them can use them for whatever means they see fit. That’s not a nice situation to be in.
What can I do?
Still don’t trust your smart TV or phone? The best thing you can do is make sure your devices have the latest version of the software available, because that may solve the problems discovered by the CIA.
When it comes to laptops or other devices, a simple bit of tape will make sure your webcam can’t be activated without your knowledge. And as for smart TV issues, simply unplugging the device when it’s not in use will render any potential exploits useless.
But it’s worth bearing in mind that anything that connects to the internet could potentially be compromised at some point now or in the future, and make decisions accordingly.