Sergey Nivens - Fotolia
WikiLeaks has published details of US Central Intelligence Agency (CIA) hacking tools for most desktop and mobile operating systems, but top secure messaging and mail apps remain secure, says Open Rights Group.
According to 8,761 documents published by WikiLeaks, the CIA has an arsenal of hacking tools to target Windows, Android, iOS, OSX and Linux.
Some of the tools are designed to hack into routers and internet-connected TVs. The UK’s MI5 security agency is said to have helped develop malware for hijacking the microphones of Samsung smart TVs.
WikiLeaks said the archive of the CIA’s hacking tools appears to have been circulated among former US government hackers and contractors in an unauthorised manner. It is believed that one of these hackers or contractors provided WikiLeaks with portions of the archive.
WikiLeaks said that in a statement that the source details policy questions that they say urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.
“The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyber weapons,” said WikiLeaks.
The organisation claims to have reviewed the disclosure carefully to avoid the distribution of “armed” cyber weapons until a consensus emerges on the technical and political nature of the CIA’s programme and how such “weapons” should analysed, disarmed and published.
In detailing the techniques used to compromise smartphone operating systems, WikiLeaks said the CIA is able to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the devices they run on and collecting audio and message traffic before encryption is applied.
But Open Rights Group has responded by saying Signal and WhatsApp are still safe and remain good ways to communicate for “nearly everyone”.
“The worst thing to do would be to throw our hands up in the air and give up on our digital security,” the digital rights group said in a blog post.
Read more about risk management
- Incorporating root cause analysis in risk management planning could be beneficial to developing a security plan, but is it the best time for it?
- If you know where the risk points are, you can request additional safeguards to protect the system and data access of trusted business partners.
- Cyber attacks constitute a group-level risk that is managed as part of BP’s standard set of risk management processes, says group chief.
Encrypted email provider ProtonMail has also issued a statement about Signal, WhatsApp and its own service.
“After an in-depth analysis, we can confirm that none of the [WikiLeaks] disclosures indicate any compromise of the core cryptography that underpins ProtonMail and other popular encrypted services,” the company said.
“Despite claims to the contrary, there is also no evidence that Signal/Whatsapp end-to-end encryption has been breached,” it said in a blog post.
Open Rights Group criticised media reports that the CIA can bypass the encryption on messaging apps such as Signal and WhatsApp. “This is emphatically not accurate,” the blog post said.
“There is a big difference between phone operating systems being hacked and message encryption being broken. If a messaging app’s encryption has been broken, that would affect every user of the app. The encryption in Signal and WhatsApp has not been broken.
“If the CIA is so interested in you personally that they would hack your phone, then yes you are vulnerable to attack. This is not new. Most of us, however, are not national security journalists reporting on sensitive state secrets, so the CIA hacking our phone is very unlikely.
“We can and should still use encrypted messaging apps to help keep our messages private and secure from people who aren’t as powerful and well-resourced as the CIA and are far more likely to try to read our messages.”
There are issues with the way the CIA and other intelligence agencies hoard and use device vulnerabilities without reporting them to the manufacturers of the devices, said Open Rights Group.
“If vulnerabilities in the devices remain unfixed, it means that people’s devices are also open to attack from criminals and from other countries’ intelligence agencies,” the group said.
Read more about surveillance
- In a digital era, the information security community has a key role in helping to make the world a safer place, according to former MI5 boss Stella Rimington.
- Former GCHQ head David Omand says the UK will be the first country in Europe to legislate to regulate digital intelligence and put it under judicial supervision with judicial review.
- The government welcomes a review of the controversial Investigatory Powers Bill that found there is no viable alternative to the bulk data collection powers proposed by the bill.
But to put the matter in perspective, Open Rights Group said most people are at far greater risk of their devices being infected from clicking a link in a phishing email than they are of being hacked by the CIA using a vulnerability in their device.
Security industry commentators have expressed concern that the CIA hacking tools will fall into the hands of cyber criminals.
Carbon Black national security strategist and former FBI counter-terrorism operative Eric O’Neill believes this leak undermines national security.
“We are losing the cyber security war to other nation states and at a deficit in our ability to protect ourselves,” he said.
“Now, with the release of one of our offensive playbooks, our ability to attack is compromised. All of these tools will now proliferate among those for whom breaching security is a business or profession, leading to additional attacks.”
Shuman Ghosemajumder, CTO of Shape Security, said: “Individuals and companies who discover they are using vulnerable products will have to assess their own risks and decide what course of action to take to mitigate it.
“This may involve temporarily disabling or disallowing some products until vulnerabilities are patched, or even switching to new products.”
Other commentators said revelations about hacking tools for internet-connected TVs is yet another sign of the challenges facing the young internet-connected industry producing devices that make up the internet of things (IoT).
Users are responsible for protecting their personal information once they own an IoT device, said Avi Freedman, founder and CEO of network security firm Kentik.
However, he also believes sellers such as Amazon should be more concerned about what they are connecting to the internet.
“Many young IoT companies are spending their dollars on marketing, not security,” said Freedman. “And as the network of IoT grows larger, so do security challenges.”