The Central Intelligence Agency’s hackers have developed tools letting them break into devices to monitor conversations and messages, according to documents released by WikiLeaks that — if true — could expose U.S. operations in countries from North Korea to Iran.
“If they can hack into the CIA they can hack into anyone,” Republican Senator John McCain, chairman of the Senate Armed Services Committee, said of WikiLeaks. “This is very, very serious.”
WikiLeaks, which specializes in disclosing government secrets, posted 8,761 documents and files Tuesday that it said came from the CIA’s Center for Cyber Intelligence. The group said the center developed ways to hack into devices, from Apple Inc.’s iPhones and phones based on Google’s Android system to Samsung “smart” televisions, in order to monitor conversations and messages.
The trove, if legitimate, discloses malware, viruses and security vulnerabilities known as “zero days.” It also reveals that the agency has the ability to break into devices and intercept messages before they can be encrypted by applications such as Facebook Inc.’s WhatsApp, Signal, Telegram and Confide.
“At first glance it is probably legit or contains a lot of legitimate stuff, which means somebody managed to extract a lot of data from a classified CIA system and is willing to let the world know that,” Nicholas Weaver, a senior researcher at the International Computer Science Institute at the University of California at Berkeley, said in an email.
CIA spokesman Jonathan Liu said in an email, “We do not comment on the authenticity or content of purported intelligence documents.”
Foreign governments that think their computers and devices have been infiltrated could follow the digital trail to pinpoint exactly where the CIA has been — and potentially track down insiders who may have aided in those intelligence operations, according to a former U.S. intelligence official who asked not to be identified discussing sensitive matters.
In the worst case, some of the agency’s most sensitive operations could be exposed in countries such as North Korea, Iran, and Russia, setting back U.S. intelligence efforts, the former official said.
Hard to Replace
The types of hacking capabilities purportedly disclosed by WikiLeaks aren’t easily replaced once they are disclosed, and targets can develop defenses against them, according to a former National Security Agency cyber engineer, who asked not to be identified because of the sensitivity of the information. The alleged leaks are a reminder of how important, yet difficult, data protection is for intelligence agencies, added the former official, who said there appears to be a crisis in operational security over maintaining confidentiality.
But a technology entrepreneur, who asked not to be identified discussing sensitive matters, said that nothing in the WikiLeaks documents would allow for the mass interception of communications. The executive said the material is malware, mostly for older operating systems, and isn’t especially advanced technically.
WikiLeaks boasted Tuesday that its CIA leak “eclipses” the number of pages in Edward Snowden’s 2013 disclosures of National Security Agency programs. But its posting Tuesday disclosed mostly instructions about how to deploy hacking tools rather than the specifics that would be most useful to the CIA’s adversaries.
WikiLeaks said it redacted and removed some identifying information from the content, including the names of CIA employees and tens of thousands of “CIA targets and attack machines’’ in Latin America, Europe and the U.S. The group said it obtained portions of the CIA’s hacking archive, which has several hundred million lines of code. WikiLeaks said it withheld releasing “armed” cyberweapons until “a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.”
“It could be potentially more dangerous than Snowden,” said Bob Stasio, a fellow at the Truman National Security Project. “The Snowden leaks were damaging but were never linked to an actual threat of life that we know of. If this leak turns out to be genuine, the lives of people who have worked with the CIA could be at risk.”
Last year, WikiLeaks posted thousands of stolen emails to and from Democrat Hillary Clinton’s presidential campaign chairman. WikiLeaks has denied that it obtained the Clinton emails from Russia, which U.S. intelligence agencies have said was responsible for hacking during last year’s campaign to hurt Clinton and, ultimately, help Donald Trump win the White House.
In an analysis it released Tuesday, WikiLeaks said the CIA’s Remote Devices Branch has a group called UMBRAGE, which maintains a “substantial library” of attack methods from malware produced in other countries, including Russia.
WikiLeaks said the CIA documents showed the agency is able to defeat encryption on popular applications such as WhatsApp and Signal by simply hacking into the devices “that they run on and collecting audio and message traffic before encryption is applied.”
Moxie Marlinspike, the founder of Open Whisper Systems, which maintains the Signal app, said in an email that the CIA’s alleged techniques don’t involve breaking Signal’s encryption. He said that’s “confirmation that what we’re doing is working. Ubiquitous end-to-end encryption is pushing intelligence agencies like the CIA from a world of undetectable mass surveillance to a world where they have to very selectively use high-risk, expensive, targeted attacks.”
Underscoring the same theme, Telegram wrote on Twitter that the problem was with phones and operating systems, not its messaging app. “This one is for the device and OS manufacturers to fix,” the company said.
WhatsApp has 1.2 billion monthly users, while Telegram has more than 100 million. Signal was the 32nd most popular app on Google’s Play app as of Monday, according to App Annie, which tracks app data. Telegram was 37th and WhatsApp was second.
Activists, journalists and others often turn to such outlets for secure communications, while terrorist groups such as Islamic State have used Telegram to go undetected. U.S. intelligence and law enforcement agencies have said that they need new powers to break into encrypted applications and devices.
WikiLeaks said the material it disclosed “appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”
While the material may reveal sensitive CIA techniques, it doesn’t list “executables or exploits” — details on actual attacks that have been carried out and the targets — according to Weaver of the International Computer Science Institute, who was beginning to analyze the documents.
Google’s Android runs more than 85 percent of the world’s smartphones, while Apple’s iOS runs 13 percent, according to research firm IDC.
Apple said many of the issues identified have already been addressed in the latest version of iOS and the company is committed to safeguarding customer privacy and security.
“Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version,” Apple said in a statement. “We always urge customers to download the latest iOS to make sure they have the most recent security updates.”
Google said it is “actively investigating” the WikiLeaks disclosures. Facebook declined to comment.
The CIA also “runs a very substantial effort to infect and control” Microsoft Windows users with its malware, including infecting removable media such as USB drives, WikiLeaks said. The Windows operating system runs more than 90 percent of desktop computers, according to Net Applications.
Microsoft said it will patch any security vulnerabilities that turn up from the WikiLeaks disclosures. A company official last month called for countries to leave civilians out of any hacking.
In a tactic dubbed “Weeping Angel” in the documents, hackers attack Samsung smart TVs, “transforming them into covert microphones,” according to WikiLeaks. Samsung didn’t respond to a request for comment.
The agency uses the U.S. consulate in Frankfurt as a “covert base for its hackers” covering Europe, the Middle East and Africa, according to WikiLeaks.
The leaked documents show that the government has “deliberately maintained vulnerabilities in the most common devices used by hundreds of millions of people,” Ben Wizner, director of the ACLU Speech, Privacy and Technology Project, said in a statement. “Those vulnerabilities will be exploited not just by our security agencies, but by hackers and governments around the world.”
Cindy Cohn, executive director of the Electronic Frontier Foundation, said in a statement that the leaks show “we’re all made less safe by the CIA’s decision to keep — rather than ensure the patching of — vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.”