'No big surprise' says security industry in response to CIA data breach

News by Tom Reeve

The CIA breach is being described as the biggest "since Snowden", and yet most in the security industry have expressed that the view that "spooks will be spooks".

The cyber-security industry has responded to the latest leak of intelligence community data by WikiLeaks with a big wet ‘meh'.

WikiLeaks published yesterday what it describes as a leak of confidential documents from the CIA detailing the tools and vulnerabilities it allegedly uses to break into phones, communication apps and other electronic devices.

The trove of documents, part of the so-called Vault 7 which WikiLeaks has been trailing for several weeks, contains 8761 files which allegedly show the scope and direction of the CIA's global covert hacking programme.

It contains descriptions of its malware arsenal including dozens of "zero day" weaponised exploits against a wide range of consumer  products including Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.

WikiLeaks says the collection amounts to more than several hundred million lines of code, and “gives its possessor the entire hacking capacity of the CIA”. WikiLeaks has called for the software to be “analysed, disarmed and published”, but has not published any of the actual code.

Already, some commentators have said the files include far more pages than the Snowden files that exposed the vast hacking power of the NSA and other agencies.

Overnight, security experts around the world have poured over the documents and the TL;DR is that they simply “don't matter”.

Those are the words of Slawek Ligier, VP security engineering at Barracuda, who says the vulnerabilities are not news, and “[the vulnerabilities have] been possible for a while now. The disturbing part is that spy agencies seem more interested in stockpiling vulnerabilities for a future exploit rather than working with vendors to close the gaps.”

Ilia Kolochenko, CEO at High-Tech Bridge, said that it didn't appear that the CIA was doing anything unlawful – far from it, it's the agency's job to develop the means to eavesdrop on targets of interest. “If the intelligence agencies were using advanced resources to spy on innocent citizens or intervene in government, it would raise many questions, but the fact that they have developed many tools including cyber-weapons is perfectly normal,” he told SC Media UK.

He questioned whether there was even anything new in the release and speculated that it could even be a ploy to distract the attention of the public and foreign intelligence agencies. “People are talking about the [Weeping Angel] Samsung TV  hacking tool, and that was something that was public several years ago,” he said. “That's not something that's going to make you say ‘wow'. It looks like a honeypot strategy – it's deflecting attention from other things.”

Many of the vulnerabilities disclosed in the CIA files appear to have been developed after CIA agents attended public hacking conferences. One document discusses how to weaponise a USB stick using BadUSB, the subject of a talk at BlackHat USA in 2014 by Security Research Labs.

Other vulnerabilities disclosed in the document include exploits that allow an attacker to take over control of the microphone and camera, key stroke loggers for Windows and antivirus avoidance software, all tools readily available for free or for a price on the dark web.

“I've looked at a list of these leak tools [on various websites] and I don't see anything that's a revolution,” said Kolochenko. “All of these are based on what's already available – either more or less sophisticated than what's in the public domain.”

He added that it wouldn't make a lot of sense for the CIA to spend a lot of money amassing a toolkit with hundreds of weapons because of the risk they would be rendered obsolete when the vulnerabilities on which the tools depended were discovered and patched.

Jim Walter, a senior researcher with Cylance, also observed that the CIA appears to borrow heavily from existing research and known vulnerabilities, possibly for reasons of efficiency. “There are clear instances where the owner of this code is inspired by (and sometimes borrowing directly from) well-known malware. Familiar names like HiKit, Shamoon, and Nuclear EP appear multiple times, so it is interesting to see what threats the owner is taking cues from,” he said.

Vince Steckler, CEO at Avast: "The concern, even anger, that the CIA is spying reminds me of the old Casablanca line about a casino – ‘I am shocked, just shocked, that there is gambling going on in here.' Of course the CIA, and probably most of the world's spy agencies, are looking for vulnerabilities and attempting to exploit them. That is their job."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews