Day 6

Vault 7: How the CIA's secret stash of 'zero day' hacks could leave your devices vulnerable

Wikileaks released 8,761 top-secret CIA documents this week, revealing a long list of hidden bugs that intelligence officials can use to hack into everyday devices like iPhones and smart TVs. Now, security experts are asking why the CIA chose to keep the bugs secret instead of warning companies that their devices were vulnerable to hackers. Jenna McLaughlin of The Intercept unpacks the controversy.
The lobby of the CIA Headquarters Building in Langley, Virginia, U.S. (Reuters)

It's been billed as the largest CIA document leak in history.

On Tuesday, Wikileaks released 8,761 top-secret CIA documents, outlining the agency's surveillance techniques in unprecedented detail.

While both the CIA and the Trump administration have refused to confirm the files' authenticity, they are widely believed to be legitimate.

Code-named "Vault 7," the documents reveal a long list of hidden weaknesses that would enable intelligence officials to hack into every-day devices like routers, smartphones and Smart TVs.

The hacking exploits include the first public evidence that the CIA is capable of taking full control of an iPhone, as well as more than 25 Android hacking techniques and an attack dubbed the "Weeping Angel," that enables individuals to record conversations through a Samsung Smart TV.

While news that the CIA is spying on peoples' phones was hardly a revelation, the sheer size of the agency's hacking arsenal came as a surprise to tech companies like Apple and Google.

The documents leaked by Wikileaks indicate that the CIA is able to hack into a wide range of devices, including both Apple and Android smartphones. (CBC)

That's because the documents include a number of "zero day" vulnerabilities, a term for software bugs and security weaknesses that are completely unknown to the companies that built the devices.

Now, some security experts are asking why the CIA chose to hoard so many of these secret hacks instead of disclosing them to the companies that make our devices.

Jenna McLaughlin, a reporter with The Intercept who covers surveillance and national security, has been closely following the news of Wikileaks' dump and she tells Day 6 host Brent Bambury, the leaks could have significant repercussions for both CIA officials and everyday device users.

People attend a video conference of WikiLeaks founder Julian Assange on June 23, 2016. (RODRIGO BUENDIA/AFP/Getty Images)


Where does the CIA get its hacks?

According to McLaughlin, some of the security weaknesses and attacks listed in Wikileaks' documents were identified and developed internally by CIA employees. But she says others were purchased from private companies.

Jenna McLaughlin,The Intercept

"There are several companies that do this sort of work," she says. "Sometimes those people are former government agents… they understand the kind of needs the government has."

"It really just depends on what they need, but they definitely don't do everything themselves."

The business of developing "zero day" vulnerabilities is lucrative. Individual hacks can cost hundreds of thousands of dollars, McLaughlin says.

Former CIA acting director Michael Morrell dubbed this week's data leak "CIA's Edward Snowden," referencing to Snowden's leak of NSA data in 2013. (The Guardian/Getty Images)

And there's no guarantee that the individuals or companies who sell those hacks to the CIA won't also sell the same information to others, some of whom may be interested in targeting every-day technology users. 

"Certain companies could sell these things to other locations," McLaughlin says.

"A lot of the companies have better reputations than others, but there's also a black market for these things."

In the wrong hands, "zero day" vulnerabilities like those described in the leaked CIA documents can have dire consequences.

Last summer, Arab activist Ahmed Mansoor was targeted by multiple companies who used expensive hacking tools to try to remotely hack his iPhone.

Mansoor, who had been targeted in the past by the government of the United Arab Emirates, was able to recognize the attack and report it.

Soon after, Apple issued a global iOS update that patched the security weakness. But according to McLaughlin, not all hacking victims are as lucky as Mansoor.

"If you're an activist in the UAE, the danger is that you get hacked; they discover… the things that you're working on that might be anti-government, and next thing you know, you end up in a jail cell somewhere, never to be heard from again."

A pedestrian uses a smartphone as he walks in San Francisco, California. (Sullivan/Getty Images)


"Vault 7": What's at stake for consumers

In the wake of Tuesday's leak, Apple was quick to issue a statement saying that many of the vulnerabilities listed in the documents have already been patched in the company's latest operating system.

But many companies are still scouring the documents for secret 'back door' hacks that could put their customers at risk.

According to McLaughlin, there's evidence that some of the attacks listed in the Wikileaks files may still be viable.

"In the chart of the hacks themselves, there was a column that lists… its "death date," the date the hack no longer worked," she explains. "A couple of them don't have dates listed there."

If the CIA was able to find the bugs, malicious 'black-hat' hackers could probably find them too.

"Now that these capabilities are disclosed, there are certainly people out there who would like to use these for their own purposes," McLaughlin says.

On Thursday, Wikileaks announced that it will provide tech companies with exclusive access to the detailed code behind the CIA's hacking tools so that they can patch the holes in their software's security.

Jenna McLaughlin,The Intercept

But even after those security bugs have been addressed, questions will remain about how the CIA decides which hacking vulnerabilities it's willing to disclose — and which ones it will keep secret for its own purposes.

"There are a lot of equities to satisfy, and you … need to ask certain questions to determine whether or not certain vulnerabilities should be disclosed to the companies or kept within the government," McLaughlin says. "That's something that people are still talking about a lot."

A figure walks in front of a wall marked with computer code at an Internet security firm in Moscow, Russia. (Kirill Kudryavtsev/AFP/Getty Images)

In 2014, then-U.S. President Barack Obama redeveloped the Vulnerabilities Equities Process, which provides a set of guidelines and criteria used to determine when the U.S. government is justified in keeping zero-day vulnerabilities a secret.

But to date, we know remarkably little about how those choices are made, McLaughlin says.

"We still don't know a lot about [that process]," McLaughlin says. "But the idea behind it is to bring together various agencies with the White House to discuss whether or not a certain hacking tool is better off staying in the hands of the CIA, being used against high-value targets or whether it should be handed over to the companies to be fixed."

"It's not always a clear-cut case."

Last week, the FBI made headlines when federal prosecutors opted to drop an indictment against a child pornography website, rather than disclose a useful hacking vulnerability that could affect the Mozilla web browser.

Julian Assange, Founder and Editor-in-Chief of WikiLeaks, speaks via video link during a press conference to mark Wikileaks' ten year anniversary celebration in October 2016. (Axel Schmidt/Reuters)

"There are a lot of cases running through court, and sometimes the FBI decides that it's not worth it for the rest of their cases to disclose this proprietary information," McLaughlin says. "So sometimes, they'd rather throw out a case and let somebody that may or may not be guilty go free."

"It's something that I think people will be discussing for a while, whether or not the FBI should be doing that."

But regardless of whether or not U.S. intelligence agencies choose to disclose the security flaws they discover, McLaughlin says we'll probably never see a device that is completely protected against hackers.

"The Internet and code and all of our devices are incredibly complex, and it's almost impossible — if not absolutely impossible — to design perfect code with absolutely no mistakes in it."

To hear Brent Bambury's conversation with Jenna McLaughlin, download our podcast or click the 'Listen' button at the top of this page.