Everyone is talking about WikiLeaks’ massive CIA data dump — here’s what’s going on

WikiLeaks published a large cache of documents stolen from the CIA related to hacking tools on Tuesday. The Wall Street Journal has confirmed their authenticity with an intelligence source. 
The files seem explosive at first glance. Internal CIA files are rarely seen, and WikiLeaks has used them to claim that the agency has "lost control of the majority of its hacking arsenal."

But some of the claims that WikiLeaks presented along with the documents have been criticized by security researchers as being exaggerated or overblown. WikiLeaks has claimed that secure messaging apps have been broken, and that the CIA can hack into iPhones, which have widely been seen as a more secure choice than Android.

Although the documents themselves are a rare and fascinating look into the CIA, there isn't much in there that should worry everyday people for now, security researchers and professionals told Business Insider. 

Here's what you need to know as an iPhone or iPad user about the WikiLeaks' "Vault 7" dump.

False: The CIA was able to break into Signal and WhatsApp

Apps like Signal and WhatsApp are commonly cited as secure messaging apps, meaning that the government, companies, or hackers can't intercept messages in transit and read them.

That's what security professionals call "end-to-end encryption."

So, if the CIA was able to break into Signal, as several outlets and commentators have claimed, that would be a big deal. Even WikiLeaks is phrasing its claims to make it sound like this is the case. 

The good news is that there is no evidence in the WikiLeaks dump that suggests the math that keeps messages secure — called "crypto" — behind either WhatsApp or Signal has been broken, as suggested by WikiLeaks. 

Instead, the claim is more fundamental. If the CIA were able to hack into an end user's iPhone or Android device, then Signal's crypto wouldn't matter. The CIA would be able to read what users are seeing and sending before it was encrypted by the software. 

If your computer or operating system, like iOS, is already compromised, then it doesn't matter how secure your messaging system is.

Basically, "CIA has some expensive, targeted ways to hack phones, and if your phone is hacked, well, your apps won't save you," Zeynep Tufekci, New York Times contributor and associate professor at the University of North Carolina School of Information and Library Science, told Business Insider. 

"If someone is specifically targeted and their phone is running an older version and thus vulnerable to exploitation, no 'secure' apps can protect you because the OS itself is compromised," Will Strafach, CEO of Sudo Security Group and a security professional with extensive experience with iOS exploits told Business Insider. 

 Open Whisper Systems @whispersystems
The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.
3:02 PM - 7 Mar 2017
  1,980 1,980 Retweets   1,785 1,785 likes

Signal's underlying technology remains secure. “End-to-end encryption has pushed intelligence agencies away from undetected and unfettered mass surveillance to where they have to use high-risk and targeted attacks," Signal creator Moxie Marlinspike told New York magazine. 

"WikiLeaks has an interest in getting big hype for their leaks obviously, so it blurs what is and is not a concern," Strafach said. 

WikiLeaks did not release a tool that can hack an up-to-date iPhone

Although WikiLeaks claims the CIA has exploits that can work on iPhones, the actual tools and code needed to implement those hacks was not included in the document release, according to Strafach and other security experts. "I do not believe any iOS user running iOS 10+ has any cause for concern" stemming from the WikiLeaks files, Strafach said. 

The documents do refer to iOS exploits — commonly called "zero days," or bugs that have not been publicly found before — but they tend to be threads and hints leading to a working exploit, instead of what's needed to verify the CIA's capabilities. And many of the exploits in the leaked files have already been found and squashed.

"While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue to work rapidly address any identified vulnerabilities," an Apple spokesperson said in a statement. 

What WikiLeaks is claiming the CIA can do is scary: Basically, using expensive undiscovered bugs, it could take over a target's phone if it gets them to click on a link or another attack vector. 

Using exploits, hackers can "make [a phone] appear to be off when it's really on, and enable your microphone, and be able to listen to conversations you're having with other people," exploit vendor and famous hacker Kevin Mitnick told Business Insider last month. 

Strafach said that after perusing the WikiLeaks files, "If you are an average iOS user and you are worried about a malicious party downloading this leak and using information from it to hack your iOS device, you can rest easy."

"This is not possible from what has currently been released," he said. 

Strafach said that much of the files seem to show tools that do "not appear to be incredibly 'production-ready'" and are experimental in nature. Many of the files released look like the work of a small team working on experimentation and R&D, and resemble how iPhone jailbreakers and small security companies put together research and internal wiki websites, he said. 

"I can’t rule out that there is not a single live vulnerability at all mentioned, but I at least have been able to ascertain that this leak does not have anything which can pose a threat to an everyday user," he said. 

WikiLeaks hasn't published everything it has

WikiLeaks said that it removed code and other parts of its leaked data that could be used by hackers. But it has said that Tuesday's dump is only the first of many — it's possible that WikiLeaks is planning to publish exploit code in the future.

But that might end up being a good thing for iPhone and iPad users, because when an exploit becomes public, it gets patched by Apple and other big tech companies. Once it's patched, hackers and organizations like the CIA can't use them anymore. 

Apple pays up to $500,000 for a working iOS exploit. Mitnick said the going rate for an iOS exploit can range up to $1,500,000. 

If there are any exploits revealed by the WikiLeaks CIA files, it's possible that it just made millions of dollars of CIA software useless. The CIA "have to use these [attacks] very carefully,” Marlinspike said to New York Magazine. “Every time they use one, there’s a chance it’ll be detected, which costs millions of dollars to them.”

Read this cool article and more at their source.

Source: Business Insider, UK,

Topics: Vault 7 dump, hacking tools, WhatsApp, working iOS exploit, Zeynep Tufekci, end-to-end encryption, keynote speaker, Moxie Marlinspike, New York Times, iOS 10+, WikiLeak, Signal, Apple, attack vector, CIA data dump, CIA hacking iPhones, crypto, broken messaging apps, iOS, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

Redefining Your Enterprise’s Cyber Security Posture During Mergers & Acquisitions

With 3,205 data compromises occurring in 2023 alone, fortifying your enterprise’s cybersecurity posture is more important than ever.

Read more ›

Choosing a Penetration Testing Company for Mac-based Environments

Powering your business with Apple devices because of their reputable security and privacy features? You may be surprised to learn that while Apple dev..

Read more ›

AI in Cyber Security: Impacts, Benefits, and More To Be Aware Of

Artificial intelligence in cybersecurity has been a hot topic lately, especially with the rise of OpenAI’s ChatGPT. But does that mean it would make a..

Read more ›