On Friday March 17th, I moderated a BrightTalk panel with Jason Haddix, head of security research at Bugcrowd, and Gaurav Banga, former CEO of Bromium, on Wikileak’s Vault 7. This post is a summary of the points discussed on the panel.
What is Vault 7?
On March 7, 2017, Wikileak released a new series of leaks on the U.S. Central Intelligence Agency (CIA). The new leak was code-named “Vault 7”, and it contained a confidential trove of hacking tools used by the CIA. The leak was said to be from an internal, isolated network of the CIA.
What does Vault 7 have?
Vault 7 contained a list of CIA’s hacking tools including malware, trojans, viruses, and 0-day exploits. Many of the malware and exploits target widely deployed consumer devices such as Samsung TV and iPhones. Among the vulnerabilities documented in the files, approximately thirty percent of which are previously unknown, in other words 0-days, even though most of the 0-days are for older operating systems and platforms.
Should we be surprised that CIA has such surveillance capabilities?
Probably not. In fact, you should be surprised if CIA (or other nation states) does NOT have something similar to this, namely using popular consumer devices or software to conduct targeted surveillance.
Should I be concerned about the hacks personally affecting me?
Most of the hacks require physical access to the device. Unless you are worried about someone gaining physical access to your phone or your TV, the Vault 7 revelation does not visibly change your individual risks. In addition, some of the vulnerabilities and risks were known for some time. EPIC warned FTC about Samsung TV surveillance risks back in 2015.
Even though the current revelation hinges on having physical access to the devices. With consumer devices increasingly become Internet accessible, should I be worried about CIAs attaining remote surveillance capabilities?
Yes, remote surveillance is a distinct possibility, even if the Vault 7 revelation says very little on that subject. However, unlike the Snowden revelation, the hacks contained in Vault 7 all appear to be targeting individual surveillance subjects in legitimate CIA field operations. As such, there is no reason for anyone to be concerned about mass remote surveillance conducted by CIA.
Is this as big of a deal as Snowden?
No, Snowden revealed that there was undocumented, illegal mass surveillance activities carried out by the NSA. This wikileaks reveal, however, was simply tools used by the CIA in doing their jobs. There is no evidence that these tools were used to power illegal surveillance.
What does it mean for vendors whose products are part of the Vault7 dump?
Many of the revealed vulnerabilities are from older OS or platform versions. The first thing you should do is urging your users to upgrade to the latest versions and platforms. In the meantime, you must determine how the vulnerability could be exploited, even though exploit code was not part of the dump, and determine the best course for remediation.
Beyond that, as a more proactive step to protect your products and your users, companies should consider implementing bug bounty programs to leverage third party security expertise beyond those of their own.
What does this mean for Signal and WhatsApp users?
Vault 7 revelations do not indicate means to attack the Signal and WhatsApp functionality. Rather, the hacks target the endpoint devices, which presumably means Signal and WhatsApp secure communications were too difficult to crack. Those headlines that proclaim “Signal and WhatsApp users are in trouble” are irresponsible journalism. If you are using Signal and WhatsApp, good for you and keep it up!
What are the moral obligations of an agency like the CIA when they discover 0-day vulnerabilities?
A zero-day exploit is a powerful digital weapon. Falling into the wrong hands, 0-days could cause significant damage. It is an interesting question to ponder whether the government is morally obligated to inform the manufacturer of the product if they found a 0-day vulnerability - if the CIA can find it, maybe others can as well. President Obama’s Intelligence working group once pointed out that the government should not be using capabilities like 0-days to conduct surveillance. However, there is little legal pressure to make this happen. CIA, and other government agencies, will most likely unwilling to disclose their knowledge of 0-days, even to the original product manufacturers.
As a device user, what is the one thing that I could do to protect my privacy and security?
Upgrade to the latest OS and software version. If you don’t know how to do it yourself, like upgrading the firmware on your Samsung TV, find someone who knows to help you.