WikiLeaks has released a tranche of 8,761 documents that demonstrate how the US Central Intelligence Agency (CIA) uses hacking tools to breaks into apps, phones and other devices. However, the implications of the latest “Vault 7” leaks seem to be more for the technology companies than for the intelligence agency in question. Some of the details in the leaks clearly suggest there are serious vulnerabilities in both iOS and Android, the top two operating systems for communication devices.
To recap, what has the CIA done?
The CIA has a programme by which it enlisted hundreds of partners to create hacking systems, including “zero day vulnerabilities” (which the software writer itself is unaware of), for popular consumer devices and operating systems. This was in violation of President Barack Obama’s commitment in 2010 that security agencies would inform tech companies about new vulnerabilities they had discovered.
WikiLeaks documents show that the CIA’s Mobile Development Branch created malware to infest both iOS and Android devices. It would seem that the CIA’s “arsenal” has “numerous local and remote ‘zero days’ developed by CIA or obtained from GCHQ, NSA, FBI or purchased from cyber arms contractors such as Baitshop”. Although Apple has just 14.5% share of the global smartphone market, the CIA had a disproportionate interest in its devices, as they are more popular among the political, diplomatic and business elite.
So what then are the big issues that have emerged following the leaks?
To begin with, it seems the CIA has for some time had the capability to listen into encrypted messaging apps like WhatsApp, Signal and Telegram. While millions of regular users use these messaging platforms to send text, voice and video messages, the fact that they are end-to-end encrypted also makes them attractive to terrorist groups and other subversive elements.
Apart from breaking into these apparently secure apps, the CIA hackers also used a programme called Weeping Angel to monitor users of Samsung’s F8000 smart television even though the devices appeared to be switched off. The so-called “Fake Off” mode in the smart TVs was apparently developed in collaboration with British intelligence agencies, and could be damaging for the entire smart-this-smart-that industry. This is a much larger issue — for the ability to switch on the device suggests a backdoor into the operating system itself.
In a series of tweets, former CIA employee Edward Snowden, who in 2013 leaked details of global surveillance programmes carried out by the US National Security Agency, said the latest leaks underlined the vulnerabilities in Android and iOS — and not in apps like WhatsApp and Signal. “This incorrectly implies CIA hacked these apps/encryption. But the doc[ument]s show iOS/Android are what got hacked — a much bigger problem,” Snowden, who now lives in an undisclosed location in Russia, tweeted.
The next logical question is, should you and I be worried?
Operating systems like Android are no longer limited to smartphones or tablets, as everything from cars to refrigerators are becoming smart — and using Android or iOS for this dose of intelligence. So, these vulnerabilities could give security agencies a window into what you are doing — a smartwatch can tell them you have walked a bit longer today, a smart car can tell them where you are headed and whether you are in a hurry, phone messages can suggest whom you are meeting and, of course, there is the capability of switching on your phone cameras and microphone to collect proof of that rendezvous having actually happened. Incidentally, the 2008 Shia LaBeouf thriller Eagle Eye created the scenario in which a person is tracked using devices around him. In theory, and it seems in practice too, all smart technologies can be used to spy on you.
Some of it is already here. All computing devices can be infected with malware and spyware that give regular data to its creator on what the person who is being spied upon is doing. Such malware have already made their way into smartphones through the innocuous-looking Flashlight and other such apps that take far too many permissions than are actually required. Even without access to your personal devices, security agencies have had the capability to hack into closed circuit cameras remotely to spy on a person. In fact, a lot of CCTV cameras, especially in a country like India, are extra vulnerable because they have not been secured against such hacks.
Finally, do Indian security agencies have the capabilities that WikiLeaks has shown the CIA to possess?
The Vault 7 leaks don’t have anything on the Indian security agencies. But if the CIA has actively collaborated with British agencies to create a hack, it is not unlikely that such conversations may be on even with their counterparts in India. Especially when Indian security agencies are fully aware that WhatsApp and Telegram are being used by terror elements seeking to target the country.