Users of everyday electronic devices may have been surprised at news that a CIA unit had developed ways to hack into them with ease. But cybersecurity experts greeted the news with a shrug.
“What’s surprising is that the general public is still shocked by stories like these,” said Omer Schneider, chief executive of CyberX, a Framingham, Massachusetts, cybersecurity company.
The anti-secrecy group WikiLeaks has begun publishing what it says are files leaked from a unit of the CIA known as the Center for Cyber Intelligence that designed tools to hack into Apple and Android smartphones, activate microphones on Samsung smart TVs and implant malicious code in common software and products, including those from Microsoft.
The group published 8,761 leaked files Tuesday and said in a tweet Wednesday that the initial batch composed less than 1 percent of the leaked files in its possession. WikiLeaks has dubbed the leak Vault7, and said the material dates from 2013 until 2016.
The CIA issued a statement Wednesday and, without confirming or denying the authenticity of the documents, said such disclosures could “jeopardize U.S. personnel and operations” and “equip our adversaries with tools and information to do us harm.” It added that the agency conducts no surveillance within the United States and is barred by law from doing so.
TV newscasts and newspapers featured reports of the leak prominently, but the news seemed less significant to cybersecurity experts immersed in a near-daily battle against hackers.
This is a whack-a-mole game.
Michael Hamilton, chief executive, Critical Informatics
“It’s kind of a yawner,” said Michael Hamilton, chief executive of Critical Informatics, a cyber security company in Bremerton, Washington. “This is a whack-a-mole game.”
Major high-tech firms did not voice any particular alarm at the WikiLeaks disclosures.
“We’re aware of the report and are looking into it,” said Ross Richendrfer, a spokesman for Microsoft, the Redmond, Washington, software and consumer electronics giant.
Fred Sainz, a spokesman for Apple, of Cupertino, California, said in an email that the company had already patched some of the vulnerabilities disclosed in the WikiLeaks CIA files, and “we will continue work to rapidly address any identified vulnerabilities.”
The CIA and other U.S. intelligence agencies are far from alone in developing means to hack into everyday devices or engineer ways to penetrate networks. It may not even be surprising that they maintain stashes of particular software vulnerabilities, known in the field as “zero days,” that allow intruders to slip in undetected.
Most nation-states have similar hacking tools, and they’re being used all the time.
Omer Schneider, chief executive, CyberX
“The main issue here is not that the CIA has its own hacking tools or has a cache of zero-day exploits. Most nation-states have similar hacking tools, and they’re being used all the time,” Schneider said.
Just last month, he said, CyberX published a report on a “massive cyber-reconnaissance operation in Ukraine we named Operation BugDrop that used similar tactics to those detailed in the CIA emails.”
A scramble followed the WikiLeaks disclosures, experts said, as hackers and cybercrime groups perused the document dump to see whether they could glean new ways to build malware to extort victims, although WikiLeaks said it had withheld source code for the CIA hacking tools.
Major U.S. firms also hustled to see whether vulnerabilities disclosed in the purported CIA documents were fresh and still active, although some hacking tools date back several years, an eon in tech time, and were probably already known and patched up.
“As more time goes by, vulnerabilities may get resolved because vendors update their code,” said John Bambenek, threat systems manager of Fidelis Cybersecurity, a Bethesda, Maryland, firm.
Bambenek said his company had fielded some concerned calls.
We’ve had customers asking, ‘Is your security technology going to protect us from this stuff?’
John Bambenek, threat systems manager, Fidelis Cybersecurity
“We’ve had customers asking, ‘Is your security technology going to protect us from this stuff?’ ” Bambenek said.
Others concurred that software and hardware companies are accustomed to acting rapidly, even if consumers lag in downloading new versions of software with updated security.
“Once an exploit has been publicly disclosed, the software or hardware vendors are generally fast at responding with software patches that can be applied quickly and easily in most cases,” said Philip Lieberman, president of Lieberman Software Corp. of Los Angeles.
So many viruses, trojans and malicious implants float around on the internet these days that the CIA tools just add to the roster of worries that cybersecurity experts cope with daily, they say. Some of the CIA tools may still be “zero day,” or widely unknown and destructive.
“The small amount that are still ‘zero day’ will cause harm but no more harm than the current level of thousands of exploits being written daily,” said Paul Calatayud, chief technology officer at FireMon, an Overland Park, Kansas, cybersecurity firm.
Now that powerful tools appear to have leaked, U.S. consumers and companies will feel the repercussions as any CIA-designed malware gets adapted for use against the United States.
“As all this stuff gets weaponized and it gets pointed back at us, that’s when there will be an uptick” in the cybersecurity business, Hamilton said. “It’s kind of a race.”
Schneider echoed that sentiment: “Our concern is that Vault7 makes it even easier for a crop of new cyber-actors to get in the game.”
But Bambenek said the disclosure about “Weeping Angel,” the program that allows the CIA to activate the microphones on Samsung smart television sets, was not particularly new. He said he’d seen a similar exploit at a trade show in Vancouver in 2013.
“OK, so the CIA has a tool that can help them listen through a TV. What did you think the CIA does?” Bambenek asked.