The publication by WikiLeaks of documents it says are from the CIA’s secret hacking program describe tools that can turn a world of increasingly networked, camera- and microphone-equipped devices into eavesdroppers.
Smart televisions and automobiles now have on-board computers and microphones, joining the ubiquitous smartphones, laptops and tablets that have had microphones and cameras as standard equipment for a decade. That the CIA has created tools to turn them into listening posts surprises no one in the security community.
In a statement to CBS News, the CIA said it had no comment on the authenticity of the documents or the status of any investigation into their source.
“CIA’s mission is to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries. It is CIA’s job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad,” the agency said. “It is also important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so.”
The agency also warned that the disclosure of hacking tools could allow America’s adversaries to take advantage of them, too.
The release of the documents by WikiLeaks has prompted many questions about potential vulnerabilities.
Q: How worried should consumers be?
A: The intrusion tools highlighted by the leak do not appear to be instruments of mass surveillance. So, it’s not as if everyone’s TV or high-tech vehicle is at risk.
“It’s unsurprising, and also somewhat reassuring, that these are tools that appear to be targeted at specific people’s (devices) by compromising the software on them — as opposed to tools that decrypt the encrypted traffic over the internet,” said Matt Blaze, a University of Pennsylvania computer scientist.
The exploits appear to emphasize targeted attacks, such as collecting keystrokes or silently activating a Samsung TV’s microphone while the set is turned off. In fact, many of the intrusion tools described in the documents are for delivery via “removable device.”
Q: What can be done to prevent a compromised internet-connected device from communicating with spies?
A: Not much if you don’t want to sacrifice the benefits of the device.
“Anything that is voice-activated or that has voice- and internet-connected functionality is susceptible to these types of attacks,” said Robert M. Lee, a former U.S. cyberwar operations officer and CEO of the cybersecurity company Dragos.
That includes smart TVs and voice-controlled information devices like the Amazon Echo, which can read news, play music, close the garage door and turn up the thermostat. An Amazon Echo was enlisted as a potential witness in an Arkansas murder case.
To ensure a connected device can’t spy on you, unplug it from the grid and the internet and remove the batteries, if that’s possible. Or perhaps don’t buy it, especially if you don’t especially require the networked features and the manufacturer hasn’t proven careful on security.
Security experts have found flaws in devices — like WiFi-enabled dolls — with embedded microphones and cameras.
Q: I use WhatsApp and Signal for voice and text communication because of their strong encryption. Can the exploits described in the WikiLeaks documents break them?
A: No. But exploits designed to infiltrate the operating system on your Android smartphone, iPhone, iPad or Windows-based computer can read your messages or listen in on conversations on the compromised device itself, though communications are encrypted in transit.
“The bad news is that platform exploits are very powerful,” Blaze tweeted. “The good news is that they have to target you in order to read your messages.”
Apple and Google, the company behind Android, have issued statements saying many of the alleged vulnerabilities in their operating systems have already been patched.
Blaze and other experts say reliably defending against a state-level adversary is all but impossible. And the CIA was planting microphones long before we became networked.
Q: I’m not a high-value target. But I still want to protect myself. How?
A: It may sound boring, but it’s vital: Keep all your operating systems patched and up-to-date, and don’t click links or open email attachments unless you are sure they are safe.
There will always be exploits of which antivirus companies are not aware until it’s too late. These are known as zero-day exploits because no patches are available and victims have zero time to prepare. The CIA, National Security Agency and plenty of other intelligence agencies purchase and develop them.
But they don’t come cheap. And most of us are hardly worth it.