Everyone Is Talking About WikiLeaks' Massive CIA Data Dump -- Here's What's Going On
WikiLeaks on Tuesday published a large cache of documents that it said are from the CIA that relate to its hacking tools. An intelligence source confirmed to The Wall Street Journal some of the contents of the documents.
The files seem explosive at first glance. Internal CIA files are rarely seen, and WikiLeaks has used them to claim that the agency has "lost control of the majority of its hacking arsenal."
But some of the claims that WikiLeaks presented along with the documents have been criticized by security researchers as being exaggerated or overblown. WikiLeaks has claimed that secure messaging apps have been broken and that the CIA can hack into iPhones, which have widely been seen as a more secure choice than Android phones.
Although the documents themselves are a rare and fascinating possible look into the CIA, there isn't much in there that should worry people for now, security researchers and professionals told Business Insider.
Here's what you need to know as an iPhone or iPad user about the WikiLeaks "Vault 7" dump.
1. False: The CIA was able to break into Signal and WhatsApp.
Apps like Signal and WhatsApp are commonly cited as secure messaging apps, meaning the government, companies or hackers can't intercept messages in transit and read them.
That's what security professionals call "end-to-end encryption."
The good news is that there is no evidence in the WikiLeaks dump that suggests the math that keeps messages secure -- called "crypto" -- that's behind either WhatsApp or Signal has been broken, as suggested by WikiLeaks.
Instead, the claim is more fundamental. If the CIA were able to hack into an end user's iPhone or Android device, then Signal's crypto wouldn't matter. The CIA would be able to read what users are seeing and sending before it was encrypted by the software.
If your computer or operating system, such as iOS, is already compromised, it doesn't matter how secure your messaging system is.
Basically, the CIA "has some expensive, targeted ways to hack phones, and if your phone is hacked, well, your apps won't save you," Zeynep Tufekci, a New York Times contributor and associate professor at the University of North Carolina School of Information and Library Science, told Business Insider.
The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.— Open Whisper Systems (@whispersystems) March 7, 2017
Signal's underlying technology remains secure, it says.
"End-to-end encryption has pushed intelligence agencies away from undetected and unfettered mass surveillance to where they have to use high-risk and targeted attacks," Moxie Marlinspike, the creator of Signal, told New York Magazine.
Strafach said, "WikiLeaks has an interest in getting big hype for their leaks, obviously, so it blurs what is and is not a concern."
2. The CIA did not release a tool that can hack an up-to-date iPhone.
Although WikiLeaks claims the CIA has exploits that can work on iPhones, the tools and code needed to implement those hacks was not included in the document release, according to Strafach and other security experts.
"I do not believe any iOS user running iOS 10+ has any cause for concern" stemming from the WikiLeaks files, Strafach said.
The documents refer to iOS exploits -- commonly called "zero days," or bugs that have not been publicly found -- but they tend to be threads and hints about a working exploit instead of what's needed to verify the CIA's capabilities. And many of the exploits in the leaked files have already been found and squashed.
"While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue to work rapidly address any identified vulnerabilities," an Apple representative said in a statement.
What WikiLeaks is claiming the CIA can do is scary -- basically, that by using expensive undiscovered bugs, it could take over a target's phone if it got them to click on a link or another attack vector.
Using exploits, hackers can "make [a phone] appear to be off when it's really on, and enable your microphone, and be able to listen to conversations you're having with other people," Kevin Mitnick, an exploit vendor and well-known hacker, told Business Insider last month.
Strafach said that, after perusing the WikiLeaks files, "if you are an average iOS user and you are worried about a malicious party downloading this leak and using information from it to hack your iOS device, you can rest easy.
"This is not possible from what has currently been released," he said.
Strafach said that much of the files seem to show tools that do "not appear to be incredibly 'production-ready'" and are experimental in nature. Many of the files released look like a small team's work on experimentation and R&D and resemble how iPhone jailbreakers and small security companies put together research and internal wikis, he said.
"I can't rule out that there is not a single live vulnerability at all mentioned, but I at least have been able to ascertain that this leak does not have anything which can pose a threat to an everyday user," he said.
3. WikiLeaks hasn't published everything it has.
WikiLeaks said that it removed code and other parts of its leaked data that could be used by hackers. But it has said that Tuesday's dump is the first of many -- it's possible that WikiLeaks is planning to publish exploit code in the future.
But that might end up being a good thing for iPhone and iPad users, because when an exploit becomes public, it gets patched by Apple and other big tech companies. Once it's patched, hackers and organizations like the CIA can't use them anymore.
Apple pays up to $200,000 for a working iOS exploit. Mitnick said the going rate for an iOS exploit can be up to $1,500,000.
If any exploits are revealed by the WikiLeaks files, it's possible that it just made millions of dollars of CIA software useless. The CIA "have to use these [attacks] very carefully," Marlinspike told New York Magazine. "Every time they use one, there's a chance it'll be detected, which costs millions of dollars to them."
For maximum security, you should update to the latest version of iOS on your iPhone or iPad in Settings > General > Software Update.