Vault 7 Has Few Surprises

This week WikiLeaks published a collection of internal documents from the CIA describing some of their hacking and surveillance tools. The press release that accompanied this was full of hyperbole, and some of that was picked up by the initial press coverage, so just to set the record straight:

• The CIA can only bug your TV if it is an older model and they have physical access to it. Vulnerabilities in smart TVs have been common knowledge for several years.
• The CIA can only compromise encrypted messaging services such as WhatsApp and Signal if they have compromised your phone in some other way. Then they can intercept the message outside of the app, before it is encrypted. We knew that already, too.
• Many of the vulnerabilities discussed have already been patched. Some have not but will be soon. The CIA is not sitting on a huge hoard of zero days, though if they discover one they will keep it for internal use rather than responsibly disclosing it.
• The CIA is not using Russian malware to conduct false flag operations.
• This will not make it easier for other actors to start hacking, as WikiLeaks did not publish the source code or executable used by the CIA. If WikiLeaks is genuinely acting in the public interest as they claim (rather than as a propaganda arm of Russian Intelligence as many believe) they will responsibly disclose the tools only to the vendors of the vulnerable software so that it can be patched.
• The CIA is not breaking any US laws, except for violating the GNU Public License.

In other words, the CIA is doing exactly what it is supposed to do - spying on a high value targets using a variety of sophisticated (and not so sophisticated) tools. Phishing attacks are still a far bigger threat to most enterprises than anything discussed in the Vault 7 dump. Interestingly phishing is barely mentioned in the dump. It's strange that such a widespread and useful technique is not discussed there. My initial thought was that perhaps the CIA had more powerful and reliable ways of compromising any sort of device, but looking at the documents it does not appear so. However, WikiLeaks has made it clear that these documents are part of a much larger collection, so perhaps whoever edited these for publication did not wish to call attention to this particular technique. While there are several vulnerabilities that the CIA uses to attack mobile devices there is no discussion of secure Androids such as the Blackphone, Solarin, or the Copperhead open source version of the Android OS. So far these may not have achieved enough market penetration for the CIA to devote resources to compromising them. The good news is that secure communications are most likely still possible if both parties are using a hardened Android and strong encryption.