WikiLeaks Releases CIA Documents, Alleging Hacking of Consumer Electronics

WikiLeaks Releases CIA Documents, Alleging Hacking of Consumer Electronics

WikiLeaks has published a massive trove of what appears to be confidential CIA documents that detail the tools used to break into phones and other popular consumer electronics.

In a massive release today, WikiLeaks has published more than 8,700 documents that it claims detail the tools that the CIA used to break into popular consumer electronics. The documents focus on techniques for hacking a number of items, from phones to computers to televisions. WikiLeaks states that the agency explored ways to hack into cars and vans in order to remotely control them, and that the CIA worked to develop a way to manipulate smart televisions in order to turn them into surveillance devices, even when turned off.

In a press release, WikiLeaks claims that this is the first in a series of CIA information leaks, codenamed "Vault 7," with the first massive leak today being referred to "Year Zero."

"The first full part of the series, 'Year Zero', comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina," WikiLeaks said. "'Year Zero' introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of 'zero day' weaponized exploits against a wide range of US and European company products."

WikiLeaks alleges that the CIA "lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation." WikiLeaks states that the "extraordinary collection" "gives its possessor the entire hacking capacity of the CIA." According to WikiLeaks, the archive was "circulated among former U.S. government hackers and contractors in an unauthorized manor." One of those people allegedly provided portions of the archive to WikiLeaks.

According to WikiLeaks, the malware is "able to penetrate, infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts."

"The CIA attacks this software by using undisclosed security vulnerabilities ("zero days") possessed by the CIA but if the CIA can hack these phones then so can everyone else to has obtained or discovered the vulnerability," WikiLeaks said. "As long as the CIA keeps these vulnerabilities concealed from Apple and Google (who make the phones) they will not be fixed, and the phones will remain hackable."

"There is an extreme proliferation risk in the development of cyber 'weapons'. Comparisons can be drawn between the uncontrolled proliferation of such 'weapons', which results from the inability to contain them combined with their high market value, and the global arms trade," said WikiLeaks' Julian Assange. "But the significance of "Year Zero" goes well beyond the choice between cyberwar and cyberpeace. The disclosure is also exceptional from a political, legal and forensic perspective."

The CIA contact system is currently non-functional, however in a statement to Fox News, a CIA spokesperson said "We do not comment on the authenticity or content of purported intelligence documents."

Permalink

Yeah, duh. What, you think filling your house with cameras and microphones was a good idea?!
Also yeah, that App you use to send sexy pictures that totally promises it doesn't keep the data and doesn't sell it to the Government, well...funny story that

Silentpony:
Yeah, duh. What, you think filling your house with cameras and microphones was a good idea?!
Also yeah, that App you use to send sexy pictures that totally promises it doesn't keep the data and doesn't sell it to the Government, well...funny story that

I'd be surprised if Goverment officials working on this stuff actually pleasured themselves to these "sexy pics" random people make of themselves with thier smarthphones.

Samtemdo8:

Silentpony:
Yeah, duh. What, you think filling your house with cameras and microphones was a good idea?!
Also yeah, that App you use to send sexy pictures that totally promises it doesn't keep the data and doesn't sell it to the Government, well...funny story that

I'd be surprised if Goverment officials working on this stuff actually pleasured themselves to these "sexy pics" random people make of themselves with thier smarthphones.

Well you say that...
http://www.cnn.com/2013/09/27/politics/nsa-snooping/
http://www.reuters.com/article/us-usa-surveillance-watchdog-idUSBRE98Q14G20130927

Some in the NSA really did spy on spouses, lovers, exes. See what they're up to, check out their pictures, etc.

Unrelated but of a similar vein, Best buy geek squad is also infamous for stealing personal photos off computers they're working on.
So people steal and pleasure themselves to personal photos all the time.

Wire tapping is so last century.

Puhlease everybody knows that wikileaks is nothing more than a Russian puppet.
Putin is obviously just trying to undermine the world's trust in the CIA.

Wait, losing control of their hacking arsenal?

If that's true, in this day and age it'd be akin to a WW2 army just losing an entire fleet.

Silentpony:
snip

Can't say this surprises me. People will be people, and people often end up being really petty.

Any specifics on that "lost control" part? Confiscated? Stolen? Dropped down a well? Ran off to form a secret society of disgruntled hacking AI? What?

Xsjadoblayde:
Any specifics on that "lost control" part? Confiscated? Stolen? Dropped down a well? Ran off to form a secret society of disgruntled hacking AI? What?

It means, as far as the article and report can be interpreted, that the CIA is no longer the sole entity with knowledge and control of these exploits and the programs to exploit them.

While the CIA having them was bad enough, it was probably mostly harmless to the everyday person as the CIA would likely never risk using these programs and exploits vs. average people and instead reserve them for military and intelligence targets for fear of exposure or loss of control.

Now that an outside entity has control of them (if true), they essentially have what could be considered cyber warfare nuclear weapons that they can copy and sell to the highest bidder or use for their own purposes.

Basically, this was the cyber equivalent of "Only the US has usable nukes but we won't use-shit, now everyone has them".

For instance, if some of the leak is to be believed, they could potentially track or even shutdown the majority of cellphone traffic in the world unless the CIA is willing to share the exploits they used with the companies and manufacturers to create patches and hotfixes.

Another big deal nobody in the US (normal citizens) will take seriously. Another thing Germany is majorly involved in. Another reason the established parties (at least in Germany) will lose to right-wing parties due to lack of alternative alternatives.

Samtemdo8:
I'd be surprised if Government officials working on this stuff actually pleasured themselves to these "sexy pics" random people make of themselves with their smartphones.

If the child porn ring they discovered at the Pentagon is any indication, they prefer something a bit younger. So your dick pics are probably safe.

Interesting way to do an end run around leaks by claiming it's the CIAs fault.

EDIT: Yeah, if this is anything like Wikileaks recent press releases, it's going to end up being a whole load of nothing. Well, nothing besides fear mongering and misdirection, anyway.

3 other things of note i saw pointed out in the docs.

They (allegedly) have a policy of appropriating and using malware from across the world as a method of misdirecting suspicion.

They had (or wanted) tools to be able to seize remote control of cars and force them to crash as a method of 'untraceable assassination'.

And a document at least proposed the creation of meme task force.

gigastar:
And a document at least proposed the creation of meme task force.

I do think that when the current generation gets a bit older and starts voting more their voting habits and outlook on things are going to be influenced by memes they see online so a meme task force will be a useful thing to have to try to influence the masses.

Paragon Fury:

Xsjadoblayde:
Any specifics on that "lost control" part? Confiscated? Stolen? Dropped down a well? Ran off to form a secret society of disgruntled hacking AI? What?

It means, as far as the article and report can be interpreted, that the CIA is no longer the sole entity with knowledge and control of these exploits and the programs to exploit them.

While the CIA having them was bad enough, it was probably mostly harmless to the everyday person as the CIA would likely never risk using these programs and exploits vs. average people and instead reserve them for military and intelligence targets for fear of exposure or loss of control.

Now that an outside entity has control of them (if true), they essentially have what could be considered cyber warfare nuclear weapons that they can copy and sell to the highest bidder or use for their own purposes.

Basically, this was the cyber equivalent of "Only the US has usable nukes but we won't use-shit, now everyone has them".

For instance, if some of the leak is to be believed, they could potentially track or even shutdown the majority of cellphone traffic in the world unless the CIA is willing to share the exploits they used with the companies and manufacturers to create patches and hotfixes.

Ah yes that does make more sense in perspective now, thanks!

Xsjadoblayde:
Any specifics on that "lost control" part? Confiscated? Stolen? Dropped down a well? Ran off to form a secret society of disgruntled hacking AI? What?

That's actually in the documents. It turns out, there's a regulation that says nothing classified can be sent over the internet, so to circumvent this, the CIA declassified it's malware programs. That means that people who know where to look can get a hold of them. The CIA's hacking tools are in the hands of criminals all over the country and the world. They could even be in the hands of foreign governments.

Bobular:

gigastar:
And a document at least proposed the creation of meme task force.

I do think that when the current generation gets a bit older and starts voting more their voting habits and outlook on things are going to be influenced by memes they see online so a meme task force will be a useful thing to have to try to influence the masses.

I do see where theyre coming from in attempting to break into memes, but come the fuck on you see Gen-X'ers trying to meme when they can barely use a computer without falling for a phishing scam. Its so pathetic i cant stop myself from laughing at the entire concept of it.

And we arent even sure what, if any, memes the CIA tried to propagate, if we knew it would certainly fill my comedy quota for the month before i see whatever stupid shit Antifa or BLM are getting up to next.

But by the time we are all old and senile, governments across the world will have a Ministry of Memes headed by a Secretary of Shitposting. Thier entire remit just being to take the piss out of the oppositions policies.

Actually, what I'm most interested in here is how all these software devs are going to respond to this. If the malware is easily accessible to everyone smart enough to get it, then it's not exactly super hard for the devs themselves to get their hands on the code too. And then the "zero-day" exploits will soon become old news.

But that is, of course, assuming the dev teams are any sort of competent when it comes to security development. I know at least some companies are gonna be like, "lol don't care"

EDIT: VLC team is already working on fixing this so that's good. The issue though is that the damage is done and the old versions have been out in the wild for way too long so they can still be obtained and used. Ultimately, Microsoft is gonna have to bite most of the bullet here it looks like.

Dornedas:
Puhlease everybody knows that wikileaks is nothing more than a Russian puppet.
Putin is obviously just trying to undermine the world's trust in the CIA.

Trust me, he didn't need to do anything to achieve that.

*stares at a Chilian helipoter passing by powered by British petrolium and carrying bananas from Columbia*

gigastar:
3 other things of note i saw pointed out in the docs.

They (allegedly) have a policy of appropriating and using malware from across the world as a method of misdirecting suspicion.

Well, this is Wikileaks editorializing the leaked data. I haven't seen any evidence or reports that the data contains actual false flag operations using other hacking groups'/nation-state's malware or attack techniques. Yes, the CIA collects malware and attack methods from other parties in a database. Yes, they use that information and take "code snippets" of existing malware to adapt their own methods and malware. I'm sure every government cyber operation does the same (which, on a side note, is why things like Stuxnet are so dangerous -- because now Iran, Russia and others can use the same code and adapt it for new variants).

Making the leap to say that the CIA is running a false flag operation is extremely irresponsible, especially since 1) there's no documentation in the leaks that shows the CIA took third-party malware and used it for an attack, and 2) the very document that Wikileaks posted states the goal of the Umbrage "Component Library" in black & white:

"The goal of this repository is to provide functional code snippets that can be rapidly combined into custom solutions. Rather than building feature-rich tools, which are often costly and can have significant CI value, this effort focuses on developing smaller and more targeted solutions built to operational specifications."

What's more, you can't engage in an effort to "misdirect attribution" as Wikileaks claims if you're building a custom solutions that only uses "snippets" of code from existing malware types. That's complete and utter nonsense, and no cyber attribution expert in the world would go for that.

gigastar:
They had (or wanted) tools to be able to seize remote control of cars and force them to crash as a method of 'untraceable assassination'.

Again, this is Wikileaks editorializing and making leaps. The press release states that the CIA was looking to infect vehicle software systems like QNX with malware. "The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations."

First, no, it would permit such things -- at least if we're talking about QNX. As far as I know, QNX doesn't extend to actual vehicle controls for brakes, acceleration, etc. and only apply to feature like telematics, advanced driver assistance, hands-free controls and entertainment systems. So I'm not sure why Wikileaks would claim that CIA hacks could potentially allow the agency to gain control of a vehicle and crash it, though I'm sure Wikileaks would love to spark more conspiracy theories about Michael Hastings' death.

Second, there's nothing in the leaked documents that suggest that the aim of the CIA is to remote control, disable and crash vehicles (even if it were possible with other car OSes). It's highly likely (though obviously unconfirmed) that the hacking efforts in question would designed to leverage the hand-free/entertainment controls to establish a surveillance "listening post," similar to the Samsung smart TV hacks disclosed in the Vault 7 docs.

gigastar:
And a document at least proposed the creation of meme task force.

And don't forget the emojis.

Exley97:
Well, this is Wikileaks editorializing the leaked data.

Ok first up i should state that collected my findings off of Twitter, not from Wikileaks directly.

Yes i know im fucking scum but id rather do gaming and let other people pick through the thousands of documents.

And also listen to Alex Jones on the subject, seriously a conspiracy theorist getting evidence to support his narrative is a fucking comedy goldmine.

Exley97:
I haven't seen any evidence or reports that the data contains actual false flag operations using other hacking groups'/nation-state's malware or attack techniques. Yes, the CIA collects malware and attack methods from other parties in a database. Yes, they use that information and take "code snippets" of existing malware to adapt their own methods and malware. I'm sure every government cyber operation does the same (which, on a side note, is why things like Stuxnet are so dangerous -- because now Iran, Russia and others can use the same code and adapt it for new variants).

Making the leap to say that the CIA is running a false flag operation is extremely irresponsible, especially since 1) there's no documentation in the leaks that shows the CIA took third-party malware and used it for an attack, and 2) the very document that Wikileaks posted states the goal of the Umbrage "Component Library" in black & white:

"The goal of this repository is to provide functional code snippets that can be rapidly combined into custom solutions. Rather than building feature-rich tools, which are often costly and can have significant CI value, this effort focuses on developing smaller and more targeted solutions built to operational specifications."

What's more, you can't engage in an effort to "misdirect attribution" as Wikileaks claims if you're building a custom solutions that only uses "snippets" of code from existing malware types. That's complete and utter nonsense, and no cyber attribution expert in the world would go for that.

Id just like to point out the CIA does have false flag operations in its history. Now granted not its recent history but such things are probably put beyond the reach of the former contractors allegedly responsible for leaking theese files.

And im certainly no expert on the subject of cyber warfare or the tools used to fight it. I prefer to leave theese things to people who do understand them.

Exley97:
Again, this is Wikileaks editorializing and making leaps. The press release states that the CIA was looking to infect vehicle software systems like QNX with malware. "The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations."

First, no, it would permit such things -- at least if we're talking about QNX. As far as I know, QNX doesn't extend to actual vehicle controls for brakes, acceleration, etc. and only apply to feature like telematics, advanced driver assistance, hands-free controls and entertainment systems. So I'm not sure why Wikileaks would claim that CIA hacks could potentially allow the agency to gain control of a vehicle and crash it, though I'm sure Wikileaks would love to spark more conspiracy theories about Michael Hastings' death.

Second, there's nothing in the leaked documents that suggest that the aim of the CIA is to remote control, disable and crash vehicles (even if it were possible with other car OSes). It's highly likely (though obviously unconfirmed) that the hacking efforts in question would designed to leverage the hand-free/entertainment controls to establish a surveillance "listening post," similar to the Samsung smart TV hacks disclosed in the Vault 7 docs.

If youre willing to assume that the prospect of RC assassinations are real for a moment, could you see this being used for self driving or driverless vehicles?

And yes more surveillance does seem more likely today than actually forcing vehicles to crash.

Although i remain skeptical (out of ignorance, i admit) that vehicles driven by electric and dynamic hybrid motors couldnt be hacked and at least forced to stop.

Exley97:

gigastar:
And a document at least proposed the creation of meme task force.

And don't forget the emojis.

Im more interested to find out if they actually tried it, and what memes, if any, they tried to get off the ground.

gigastar:

Exley97:
I haven't seen any evidence or reports that the data contains actual false flag operations using other hacking groups'/nation-state's malware or attack techniques. Yes, the CIA collects malware and attack methods from other parties in a database. Yes, they use that information and take "code snippets" of existing malware to adapt their own methods and malware. I'm sure every government cyber operation does the same (which, on a side note, is why things like Stuxnet are so dangerous -- because now Iran, Russia and others can use the same code and adapt it for new variants).

Making the leap to say that the CIA is running a false flag operation is extremely irresponsible, especially since 1) there's no documentation in the leaks that shows the CIA took third-party malware and used it for an attack, and 2) the very document that Wikileaks posted states the goal of the Umbrage "Component Library" in black & white:

"The goal of this repository is to provide functional code snippets that can be rapidly combined into custom solutions. Rather than building feature-rich tools, which are often costly and can have significant CI value, this effort focuses on developing smaller and more targeted solutions built to operational specifications."

What's more, you can't engage in an effort to "misdirect attribution" as Wikileaks claims if you're building a custom solutions that only uses "snippets" of code from existing malware types. That's complete and utter nonsense, and no cyber attribution expert in the world would go for that.

Id just like to point out the CIA does have false flag operations in its history. Now granted not its recent history but such things are probably put beyond the reach of the former contractors allegedly responsible for leaking theese files.

And im certainly no expert on the subject of cyber warfare or the tools used to fight it. I prefer to leave theese things to people who do understand them.

The CIA has a long and distinguished history of shady, immoral and outright criminal acts. That's not in dispute. I just think we need to be careful before taking what limited information we have from the Vault 7 dump and running crazy with it about false flag ops and remotely crashing cars when there is zero evidence the CIA is actually doing those things.

gigastar:

Exley97:
Again, this is Wikileaks editorializing and making leaps. The press release states that the CIA was looking to infect vehicle software systems like QNX with malware. "The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations."

First, no, it would permit such things -- at least if we're talking about QNX. As far as I know, QNX doesn't extend to actual vehicle controls for brakes, acceleration, etc. and only apply to feature like telematics, advanced driver assistance, hands-free controls and entertainment systems. So I'm not sure why Wikileaks would claim that CIA hacks could potentially allow the agency to gain control of a vehicle and crash it, though I'm sure Wikileaks would love to spark more conspiracy theories about Michael Hastings' death.

Second, there's nothing in the leaked documents that suggest that the aim of the CIA is to remote control, disable and crash vehicles (even if it were possible with other car OSes). It's highly likely (though obviously unconfirmed) that the hacking efforts in question would designed to leverage the hand-free/entertainment controls to establish a surveillance "listening post," similar to the Samsung smart TV hacks disclosed in the Vault 7 docs.

If youre willing to assume that the prospect of RC assassinations are real for a moment, could you see this being used for self driving or driverless vehicles?

And yes more surveillance does seem more likely today than actually forcing vehicles to crash.

Although i remain skeptical (out of ignorance, i admit) that vehicles driven by electric and dynamic hybrid motors couldnt be hacked and at least forced to stop.

To answer your question, yes -- I could see these sorts of hacks being used for driverless cars. The embedded system security of these vehicles will be one of the biggest, if not the biggest, sticking points for widespread adoption. If people suspect that someone can hack into their Google self-driving compact and run it off a bridge, there's little chance they'll take that risk.

RJ Dalton:

That's actually in the documents. It turns out, there's a regulation that says nothing classified can be sent over the internet, so to circumvent this, the CIA declassified it's malware programs. That means that people who know where to look can get a hold of them. The CIA's hacking tools are in the hands of criminals all over the country and the world. They could even be in the hands of foreign governments.

I'm fairly certain that if the CIA cyber warfare folks were willing to declassify (some) of their malware programs just to make it easy to download off the Internet, then those malware programs probably don't pack much of a punch at the level the CIA or foreign governments operate at. I give it a 50/50 that this is a (possible I'll-conceived) honeypot trap.

Besides, zero day attacks are mostly a cyber security red herring. Why go through all that effort if you can just hand out USB drives to government officials in goodie bags at a convention or trick some low level schmuck into clinking on an email link?

 

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here