Wikileaks’ publication of what it says are documents detailing the CIA’s cyber-espionage techniques has raised a host of questions about the security of smartphones, internet-connected devices and encrypted apps. Here are some answers to those questions.
What do the Wikileaks documents reveal about the CIA’s hacking abilities?
Assuming the documents are genuine, the CIA has an arsenal of malware it can use to break into widely used electronic gadgets. These include the iPhone, devices running Google's Android software and smart TVs like those made by Samsung. The most powerful of these weapons are "zero day" exploits – code that takes advantage of flaws in the software that no one else has spotted, potentially creating secret backdoors that can be used over long periods.
Wikileaks claimed only to have got hold of a partial collection of the CIA’s secrets, including “dozens” of zero-day weapons, so it is impossible to tell how complete a picture this is.
What about other governments?
The leak only covers the CIA, but – like the Snowden revelations about surveillance by the National Security Agency – they hint at wider transatlantic co-operation. One piece of malware, which uses smart TVs to eavesdrop on their owners, was purportedly developed with UK intelligence services. It is codenamed "Weeping Angel" – a reference to a race of adversaries on British TV series Doctor Who, suggesting that this particular weapon was first developed in the UK.
Is it news that governments have cyberweapons like this?
Not really. After the Snowden leaks, the Obama administration promised to collect fewer zero-day exploits for government use. It said it would disclose most of the ones it came across so that tech companies could fix the vulnerabilities, keeping an undisclosed number for national security purposes. Privacy campaigners point out, though, that even a single exploit can be hugely valuable, if it can be used to break into a widely used gadget and escape detection for a long time.
Aren’t these tools like any other weapon that governments use? Or are there extra reasons I should be worried?
The unseen nature of cyber attacks raises particular civil rights issues, since it is harder to identify when they are used or whether their use is being properly controlled. Also, once zero day exploits are released they risk falling into the hands of malevolent hackers like criminals and terrorists. Some privacy campaigners argue that governments have a responsibility to tell companies when they find a flaw in their products, because it could be used by cyber criminals.
Does this mean encrypted messaging services like WhatsApp no longer offer protection?
No, encryption still works and messages that pass between mobile apps like these are still unreadable if intercepted. But by breaking into a smartphone, the CIA could bypass the encryption. It would be able to read a message before it was scrambled, giving it access to all the information the owner of the device has.
So does this mean the CIA could engage in the same sort of mass surveillance that the NSA was accused of?
It is unlikely. The tools that Wikileaks has uncovered are used to hack into an individual user’s gadgets, not to vacuum up large volumes of phone records or text messages.
What should I do to make myself safer from attacks like this – whether from the CIA or a criminal gang?
Upgrade your software – if you can. Newer versions of operating systems like iOS and Android contain fixes for earlier flaws, and often have new layers of defence against all attacks. But this may only be effective in cases where the flaws are known: some zero day exploits could be effective for an extended period.
Also, individual users often do not have much choice about the software they use. Mobile phone operators frequently limit which versions of Android their customers can use. And TVs and other internet-connected devices use “embedded” software that users cannot update.
Copyright The Financial Times Limited 2017