Once upon a time—not too long ago—you’d be dismissed as a tinfoil-hat conspiracy theorist if you claimed that the Central Intelligence Agency was listening in on everything you say.
But this week’s allegations from WikiLeaks that the CIA can hack smartphones, TVs and cars have detonated a public relations neutron bomb over the biggest digital organizations and device makers on the planet.
Meanwhile, the crisis klaxons are blaring in Washington, D.C. and at the CIA’s Langley, Virginia, headquarters.
On Tuesday WikiLeaks released a trove of 8,800 CIA documents and files it calls “Vault 7.” The digital dump allegedly details the agency’s covert hacking, malware arsenals and “weaponized exploits against a wide range of U.S. and European company products, including Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”
The anti-secrecy organization said the documents were leaked by an insider and promised that it would be releasing more this week. It added that the CIA has lost control of most of its hacking malware, viruses and trojans. (The agency declined to confirm or deny the authenticity of the documents.)
“Once a single cyber ‘weapon’ is ‘loose’ it can spread around the world in seconds, to be used by rival states, cyber mafia and teenage hackers alike,” WikiLeaks alleged.
The effects of the leaks will be far-reaching, forcing more and more sensitive conversations offline, suggests Gerald Baron, chief executive of Agincourt Strategies.
“This likely sends a chill down the spine of a great many corporations, government agencies and government officials—elected and non-elected,” Baron says. “Nothing, it appears, is beyond reach of the hackers, and this makes this more clear than ever.”
The crisis cuts in multiple directions. For users of smartphones and smart TVs, there is the alarming news that spooks might be able to listen in on your couch-potato grumbling about bad umpiring or improbable HBO plot twists—or even (gulp) more personal moments.
Silicon Valley scrambled to reassure consumers and look for security holes. Forbes reported that Google’s researchers are scouring the data dump “to determine if they need to get working on patches.” Reuters stated that “dozens of firms rushed to contain the damage from possible security weak points.”
In Washington and at the CIA, there was dismay over the news. Without offering any evidence, U.S. Sen. John McCain sought to blame a Russian hack. WikiLeaks, however, said the documents had been circulated among former U.S. government hackers and contractors, one of whom has provided WikiLeaks with portions of the archive. Either way, the crisis did not boost confidence in the spooks’ security measures.
In addition, WikiLeaks’ claim that the U.S. Consulate in Frankfurt is a covert CIA hacker base threatens U.S. relationships with its ally Germany.
Germany’s chief federal prosecutor has announced examination of U.S. hacking activities at the Frankfurt ‘Consulate’ and may prosecute.
— WikiLeaks (@WikiLeaks) March 8, 2017
CIA public affairs officials faced a damned-if-you-do-damned-if-you-don’t situation when asked about the documents’ authenticity, and it kept a tight leash on its spokespersons. A statement to Ragan.com and PRDaily.com was identical to those given to CBS News and other outlets.
Heather Fritz Horniak, a spokesperson in the CIA Office of Public Affairs, said in an email, “We do not comment on the authenticity or content of purported intelligence documents.”
The document dump also likely will harm the wary relationship between the CIA and Silicon Valley, The New York Times reported.
“Major technology companies, including Apple, Google and Microsoft, were trying to assess how badly their core products had been compromised,” the Times stated. “But one thing clearly had been ruptured yet again: trust between intelligence agencies and Silicon Valley.”
Tunneling under the castle
While many organizations were terse in their social media reactions, the messaging app-maker Telegram jumped in with a blog post about the leaks. Telegram compared an app to a castle on a mountain, and said the WikiLeaks Vault 7 documents provide a map of security-threatening tunnels underground.
“Now that device and OS manufacturers like Apple and Google will get this map, they can start filling in the holes and boarding up the passages,” Telegram stated. “This will require many hours of work and many security updates, but eventually they should be able to take care of most of the problems.”
The post also reassured most users that they have nothing to fear, and included tips for securing one’s devices.
Several organizations issued announcements Tuesday. Apple said in a statement released to multiple news outlets that it has patched most of the vulnerabilities reported on.
“While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities,” Apple stated. “We always urge customers to download the latest iOS to make sure they have the most recent security update.”
Contacted by PR Daily, a tight-lipped Microsoft spokesperson said only, “”We’re aware of the report and are looking into it.”
Samsung Electronics Co. told journalists it was aware of the WikiLeaks report and is looking into the matter. “Protecting consumers’ privacy and the security of our devices is a top priority at Samsung,” the organization stated in an email to numerous reporters.
But Samsung appeared flat-footed on its U.S. Twitter accounts. As of late Wednesday morning, the most recent tweet on its @SamsungTV account was a plug for using its product to access Facebook. Ironically, @SamsungBizUSA has tweeted repeatedly about security.
— Samsung Business USA (@SamsungBizUSA) February 28, 2017
More pages than Snowden leak
WikiLeaks said the page count in Vault 7’s part one alone eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks. Tweeting from his refuge in Russia, Snowden highlighted some of the alarming allegations in the WikiLeaks documents.
Imagine a world where the actual CIA spends its time figuring out how to spy on you through your TV. That’s today. https://t.co/dQHBrsyIoI
— Edward Snowden (@Snowden) March 7, 2017
Organizations can perhaps mitigate the damage of leaks by having a plan in place to respond when they do happen, says Gil Rudawsky, vice president of GroundFloor Media.
“This is another alarm bell for all clients dealing with sensitive information that anything you say or email can potentially become public knowledge,” Rudawsky says. “If the CIA can get hacked or has a leak, what about businesses that spend millions of dollars less on maintaining secrecy of proprietary information?”
While the CIA’s Twitter feed hadn’t noted the breach by Wednesday morning, the agency did post its “artifact of the week”: An “Escape & Evasion Survival Kit.” Maybe that will come in handy for any agency officials hoping to flee the unwelcome spotlight.
Late Wednesday afternoon, CIA spokeswoman Heather Fritz Horniak offered further remarks on the leaks:
We have no comment on the authenticity of purported intelligence documents released by Wikileaks or on the status of any investigation into the source of the documents. However, there are several critical points we would like to make:
- CIA’s mission is to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries. It is CIA’s job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad. America deserves nothing less.
- It is also important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so. CIA’s activities are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution.
- The American public should be deeply troubled by any Wikileaks disclosure designed to damage the intelligence community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm.