By Meg Wagner
A stash of hacking tools
Newly leaked documents allege that the U.S. government can hack into smartphones and spy on their owners — potentially putting millions of iPhone and Android users at risk.
International whistleblowing website WikiLeaks on Tuesday published a trove of what it claims are CIA documents — 7,818 web pages and 943 attachments, dated between 2013 and 2016 — describing malware and other tools the agency has stockpiled and could potentially use to hack into consumer electronics.
Both the CIA and the White House refused to comment on the documents, but some non-affiliated security experts said that they appear to be authentic.
The documents, dubbed “Vault 7,” make no mention of potential targets, and there’s no evidence to suggest that the tools have been used against American citizens. Instead, they describe how CIA hackers can exploit vulnerabilities in popular electronic devices — smartphones, smart TVs, computers and even cars — to access data without users’ knowledge.
Soon after the leak, Apple said that its latest iPhone operating system — released in January and used by 80 percent of customers — has already patched up “many” of the vulnerabilities detailed in the document dump. It’s unclear how many security holes are still open.
“The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way,” Apple said in a statement.
Google, which develops and maintains the Android operating system, declined to comment about the allegations. But mobile security experts estimated that it has a “couple of dozen” vulnerabilities to fix.
These vulnerabilities only appear to target Android 4.4 and earlier, which about a third of users run.
Not just smartphones
The documents describe a plethora of methods that the CIA can use to hack into a number of internet-connected devices. The agency has a stockpile of malware and viruses it can use to override security systems and has been keeping tracks of security holes in various operating systems, WikiLeaks alleged.
While iPhones and Android-based smartphones are some of the most common devices the CIA can allegedly hack, they are by no means the only gadgets at risk, WikiLeaks claimed.
Many of the documents showed ways that hackers could break into personal computers. One tool — dubbed “RickyBobby,” an apparent reference to the main character in the 2006 Will Ferrell movie “Talladega Nights” — has the power to harvest files on PCs running the newest versions of Windows. Other malware could attack Apple computers running Mac OS X and devices with Linux operating systems.
One document detailed how the CIA could hack into a Samsung smart TV and turn it into a spy device. After breaching the security system, a hacker could disable the screen and LED lights on the front — making it look as if it were totally off — but keep the built-in microphone rolling, potentially recording conversations.
Even internet-connected cars could be at risk, WikiLeaks warned.
“As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks.The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations,” WikiLeaks said.
A consumer wake-up call
Security experts said the hacking allegations are a reminder that all internet-connected devices are vulnerable to security breaches. But even so, they insist, tech users shouldn’t worry too much.
“You shouldn’t be too concerned about the CIA hacking you unless you’re doing something illegal,” said Ed Mierzwinski, consumer program director for consumer advocacy group U.S. PIRG. “But this should be a wake-up call for the average consumer.”
Experts encouraged tech users to abide by security best practices: make sure your passwords are strong, change them regularly and keep software systems up-to-date.
Want to be more proactive? If you’re worried about your TV spying on you, unplug it when it’s not in use. You can also cover your laptop’s camera with tape to prevent hackers from turning it on remotely (even Facebook’s Mark Zuckerberg does it).
The documents have not proven that the CIA is actually spying on any Americans — but if the agency decided to, there’s not a whole lot any one individual could do to fight it.
“If a spy agency wanted to compromise your devices, there’s little you could do,” Katie Moussouris, founder and CEO of cyber security firm Luta Security, told CNN. “It’s like defending from an assassin — not likely to be after you, and nothing you can do if they are.”