CIA Websites on Macbook

Photo via GongTo/Shutterstock, Inc. (Licensed)

What the big CIA leaks mean for your security

Stay tuned, and stay safe.


Ben Dickson

Layer 8

WikiLeaks’ latest bombshell, a huge trove of classified documents made public this week, shed new light into the aggravating scope of government surveillance, CIA hacking capabilities, and global espionage. It was also a reminder of an undeniable truth: Security and privacy is fast becoming a hard-to-afford luxury.

While WikiLeaks still hasn’t published all of the documents, some of the more controversial topics that are being discussed at present are the CIA’s capabilities to hack into both iOS and Android smartphones and bypass encryption embedded in secure messaging apps, and its program to use smart TVs as covert listening devices.

As is the case with every leak, much of what you hear is hype, while other hidden and threats remain in the shadows. Here’s what you need to know about how this latest revelation can affect you.

Hacking of iOS and Android

According to the WikiLeaks documents, the CIA has in its possession a cache of iOS and Android vulnerabilities, which would enable it to hack, surveil, and, in some, cases remotely control user devices. With billions of smartphones and tablets scattered across the globe, it would be fair to assume other governments and organized cybercrime rings already possess and are seeking to exploit the same security holes for their evil deeds.

However, this isn’t the first time that a government agency or a so-called “zero-day broker”—companies that sell unknown vulnerabilities to government agencies—have targeted mobile device operating systems.

According to Apple, iOS’s latest security updates have patched many—if not all—of the vulnerabilities that WikiLeaks has so far exposed. The company also declared that it is working to address and fix other identified vulnerabilities. Fortunately, 80 percent of iOS users are running the latest version of iOS. If you’re not one of them, you should strongly consider updating your system.

As for the Android operating system, Google has yet to clarify how many of the 24 announced zero-day exploits have already been patched and how many remain in the wild. But your best bet is to make sure your device is patched up and be on the lookout for new updates.

Bypassing encrypted messaging apps

The documents published by WikiLeaks purport that CIA was able to bypass encryption used in messaging apps such as Signal, WhatsApp, and Telegram. The fact was initially misinterpreted—thanks to a misleading WikiLeaks press release—as the CIA having compromised the encryption technology itself.

As was later made clear (including by Daily Dot’s Dell Cameron), the alleged “bypass” implies government agencies compromising devices and capturing sent messages before encryption and received messages after decryption. In fact, the CIA would have to compromise the device itself—and that would compromise literally every app, not just Signal or WhatsApp.

This means that the famous Signal encryption protocol, which underlies all of those messaging apps, remains uncontested and continues to be the most secure way of transmitting a message. So, don’t delete Signal or other encrypted apps for some other, less reliable messaging platform.

It also means that encrypted messaging per se isn’t enough to protect your communications, and you should still make sure that your devices are up-to-date with the latest security patches and are running a reliable anti-malware solution.

Spying through smart TVs

Last year, then-Director of National Intelligence James Clapper asserted that governments will likely use Internet of Things (IoT) devices as spying tools. WikiLeaks’ latest batch of documents confirmed Clapper’s warnings by blowing the whistle on the government he himself had served.

One of the scariest revelations was the Weeping Angel, a joint program developed by CIA and MI5 to use vulnerabilities in Samsung F8000 series of smart TV to spy on targets. The exploit can extract browser and WiFi credentials and history. But even more worrying is its capability to continue listening on targets while the TV looks to be turned off.

The documents do not make clear whether this particular exploit can be carried out remotely—meaning over the internet—or if an attacker would need physical access to the TV. The example in the documents details an attacker infecting the TV via a USB drive. Regardless, this is another stark reminder of the poor state of Internet of Things security, especially at the consumer level.

A month ago, TV-maker Vizio agreed to pay a $2.2 million fine for collecting users’ data  and sharing it with other companies without their consent. In late 2016, several toy firms were fined for having tracked online activity and collected personal data of children under 13.

With more and more home appliances becoming connected to the Internet, and with so many voice-enabled devices finding their ways into homes, hackers and government agencies can find new ways to harm you or spy on you.

Due to the fragmented and diverse nature of IoT devices, there’s no one-size-fits-all recipe to protect yourself. However, a recent piece we ran on Daily Dot provides guidelines and practices that can protect you against most IoT-related hacks.

The saga continues

We still don’t know what else WikiLeaks has in stock for us, but if there’s one thing to be sure of, it’s that privacy should be everyone’s business. Stay tuned, and stay safe.

Ben Dickson is a software engineer and the founder of TechTalks. Follow his tweets at @bendee983 and his updates on Facebook.

Share this article

*First Published:

The Daily Dot