Tl;dr: Details on CIA hacking tools were leaked via the biggest-ever government leak on WikiLeaks (link), revealing all of our personal technology is vulnerable to government/OTHER hackers. What you should do: 1) update your operating systems, firmware, and software for patches (you should always do this); 2) pick securer devices/software (I recommend Apple for phone/laptop, Signal for text messaging/voice chat; see my full list here); 3) be conscious of any personal information accessed/stored on your devices (mobile banking is inherently unsafe); and 4) let your elected officials know this issue matters to you (they’re contacted so infrequently by voters that they really do listen). And one final note as a reminder: nothing is hacker-proof.
What happened: Yesterday 8,671 internal CIA documents were made public via the WikiLeaks website (code-named Vault 7; direct link here), detailing various CIA cyber warfare and electronic surveillance activities.
Why you should care: These documents are proof the CIA is capable of spying on you in ways you probably didn’t know possible – listening to you, watching you, and collecting your digital information, even through “secure” services. While the full implications aren’t yet clear, devices already known to be impacted: 1) phones (Android and iPhones), which can be used to watch (video) and listen (audio) to everything, even encrypted services (like WhatsApp, Signal, etc.); 2) computers with Windows, macOS, and Linux; 3) Samsung smart TVs, which can record audio even when you think they’re off; and 4) the electronics in your car (fewer details leaked on this topic).
Even if you’re not concerned what our government knows, because you “have nothing to hide,” many of these tools are now in the hands, not just of our government, but also foreign governments and private hackers. Additionally, while our broader government has been known to have/should have strong hacking capabilities, these documents prove 1) the CIA specifically took/is taking unauthorized actions and using loopholes in our law; 2) the USG wasted money by duplicating hacking capabilities across organizations (CIA had to spend more money to duplicate NSA tech); and 3) US citizens have been made vulnerable on purpose – the opposite of what you’d hope our government should be using its resources for.
Key take-aways and how to secure your devices:
- The CIA has the ability to break into Android and iPhone phones and all kinds of computers. The U.S. intelligence agency has been involved in a concerted effort to write various kinds of malware to spy on just about every piece of electronic equipment that people use. That includes iPhones, Androids and computers running Windows, macOS, and Linux.
- Apple says “most” of the leaked vulnerabilities are fixed, implying some remain. In forum conversations amongst information security experts, only one of 14 exploits is “confirmed” to remain; however, there is no easy way to tell if your phone is impacted. The best you can do is keep your phone operating system up to date. Be conscious of what you say/do on your phone and what financial services you access from your phone (mobile banking is convenient, but inherently unsafe).
- Android vulnerabilities are pervasive. Android has been notoriously insecure and slow to patch known vulnerabilities. As much as I’m not an Apple fan, iPhones are still the safest option right now. Be conscious of what you say/do on your phone and what financial services you access from your phone.
- Laptops: Tape a piece of cardboard over your webcam/microphone when not in use. Sounds paranoid, but hacking laptop cameras over the web is one of the easiest things to do, and security experts regularly use this “trick.” Additionally, never save any passwords or critical documents in plain text or files (Encrypted password keepers, such as LastPass, are good alternatives to keeping passwords in plain text if you can’t remember your passwords. Never store passwords with your browser).
- Doing so would make apps like Signal, Telegram and WhatsApp entirely insecure. Encrypted messaging apps are only as secure as the devices they are used on — if an operating system is compromised, then the messages can be read before they are encrypted and sent to the other user(s).
- Signal is still my recommended service (strong encryption, solid features, not owned by a known-corrupted company – even WhatsApp is owned by Facebook now), BUT be conscious that messages won’t be safe if your phone has been compromised.
- The CIA could use smart TVs to listen in on conversations that happened around them.One of the most eye-catching programs detailed in the documents is “Weeping Angel.” That allows intelligence agencies to install special software that allows TVs to be turned into listening devices — so that even when they appear to be switched off, they’re actually on.
- Confirmed impacted devices (though others are likely vulnerable): Samsung TVs from 2012 or 2013, running firmware versions prior to version 1118. Specific device models known to me impacted: From 2012: UNES8000F, E8000GF plasma, and UNES7550F. From 2013: UNF8000 series, F8500 plasma, UNF7500 series, and UNF7000 series. To determine if your firmware version and to update it, go to the main menu, select Support, then select Software Update.
- What do I do?: 1) Make sure your TV firmware is up to date, 2) cover any built in camera/mic with a piece of cardboard when not in use, 3) unplug your smart TV when it’s not in use (turning it off isn’t good enough), 4) consider replacing your “smart” TV with a “dumb” one.
- The agency explored hacking into cars and crashing them, allowing “nearly undetectable assassinations.” Many of the documents reference tools that appear to have dangerous and unknown uses. One file, for instance, shows that the CIA was looking into ways of remotely controlling cars and vans by hacking into them. Not enough details to draw any conclusions here, but worth pointing out because it shows the extent of what hacking can influence – an important understanding for any privacy/powers debate(s) in this country.
- The CIA hid and even PAID FOR vulnerabilities that could be used by hackers from other countries or governments. Such bugs were found in the biggest consumer electronics in the world, including phones and computers made Apple, Google and Microsoft. But those companies didn’t get the chance to fix those exploits because the agency kept them secret in order to keep using them, the documents suggest.
- Remember: nothing is “hacker-proof.” While it’s hard to know what devices/software to trust, ones that claim they’re “unhackable” tend not to be the best choices.
- More information is coming. No one has had a chance to scrub through all the documents yet, but undoubtedly more revelations are forthcoming.