The Vault 7 leak that appeared early in March of 2017 either represents the most significant disclosure of classified information since documents taken from the U.S. government by former CIA employee Edward Snowden first began appearing in 2013, or it may be even “bigger than Snowden.”
Here are seven lessons from this leak, with some help from F-Secure experts, including one of our newest fellows Andrea Barisani — an internationally recognized security researcher, founder of Inverse Path and now head of hardware security at F-Secure:
1.These leaks exposed what professionals assumed.
With Vault 7, Wikileaks presented what it called “the entire hacking capacity of the CIA” in nearly 9,000 documents. And the capabilities appear to include the ability to break into smartphones, computers and even Internet-connected TVs using tricks that can allegedly bypass most major antivirus solutions, including F-Secure, a claim our Labs immediately began investigating.
Wikileaks’ method of directly posting the entire leak online is in contrast to the Snowden links, which were curated by journalists from The Guardian, The Intercept and the Washington Post. While the current leak — like the Snowden leaks that began nearly four years ago — shocked many internet users, it merely confirmed the suspicions of security professionals around the world.
2. But Vault 7 should be a wake-up call for the public.
“These programs are expected from certain agencies,” Andrea told us. “I think the major impact of the leaks won’t be within the security community but with the larger public that might find such practices absolutely unexpected.”
Hypponen’s law says, “Whenever an appliance is described as being ‘smart,’ it’s vulnerable.”
Hopefully these leaks are making millions and billions people around the globe aware that anything that’s connected to the internet can be hacked, whether it’s a TV or a toaster.
Or, as The Onion put it…
The security of the developing Internet of Things has often been an afterthought.
“It is essential to ensure design and implementation is secure from the start,” Andrea said.
Last year insecure IoT devices helped bring us the largest attack on internet infrastructure ever.
If that didn’t convince us to start getting serious about securing all smart devices, maybe Vault 7 will.
As Andrea told us, “The time to act is now… if not yesterday.”
3. The best OPSEC tactic is to never be targeted by a “three-letter agency.”
Intelligence agencies around the world have trillions of dollars to spend — and after the role cyber security played in the 2016 U.S. election you can be sure they will be spending more and more on hacking. And if you have enough money and man hours, anything is possible.
“The question is really not whether the CIA can bypass our products, the answer to that is always yes,” explains Mikko Hypponen, F-Secure’s Chief Research Officer. “If they cannot do it right now, they invest another million to find a flaw. It has seemingly bottomless funds to dedicate to such activities. The scale of its hacking campaign against security vendors and hardware manufactures outlined in the Wikileaks files attests to that.”
4. There is danger in these leaks.
Chances are you’re not being targeted by the CIA and don’t have to worry about being directly targeted by its arsenal of hacking tools. But the “zero day” vulnerabilities in the leaks, which were not revealed to vendors previously, present risks for internet users all over the globe.
“Once specific exploits get out, they can be leveraged by all kind of criminal groups,” Andrea told us. “Their dissemination therefore must not be taken lightly.”
Mikko finds the CIA’s harboring of these unknown vulnerabilities ironic — and troubling.
“In countries like the US, the Intelligence Agency’s mission is to keep the citizens of their country safe,” he said. “The Vault 7 leak proves that the CIA had knowledge of iPhone vulnerabilities. However, instead of informing Apple, the CIA decided to keep it secret. So the leak tells us a bit about how the CIA decided to use its knowledge: it considered it more important to keep everybody insecure than protecting its citizens from the vulnerability, and maybe use the vulnerability for its own purposes or counter terrorism purposes.”
5. Updates matter.
These leaks show how important it is for democratic nations to do proper oversight of their intelligence agencies. And they also show how important it is to keep your devices updated.
These leaks confirm a truism: software is never perfect. Vulnerabilities need to be constantly patched.
Both Apple and Google responded to the Vault 7 leaks with assurances that the keep their customers safe with security updates. The latest versions of both iOS and Android provide for the best available security. However, telemetry from our Freedome VPN finds that iOS users are far more likely to be running updated software than Android users. While most Apple users were running the latest version of iOS, 10.2, only a fraction of Android users had upgraded to Android version 7, which was released in summer of 2016.
“Bottom line: if you run Android and care at all about your device’s security… choose your hardware with care,” Sean Sullivan, F-Secure Security Advisor wrote. “Only a few select vendors are currently focused on providing Google’s monthly security updates to end users.”
6. We told you we didn’t have any backdoors.
For years, we have been saying that there are no backdoors in our solutions for law enforcement agencies. And this now actually proves our point that intelligence agencies have to break our products. We are glad to see it’s difficult for CIA to bypass our protection.
7. These obviously won’t be the last leaks.
“It’s no surprise that the CIA is using these hacking techniques. What is unsuspected is the leak, and it’s huge,” Mikko said. “So the question is who leaked it to Wikileaks? The Russians, an insider? We don’t know the answer. Another question we need to ask us, why was it leaked now?”
Answers to these questions might help predict the next set of leaks we’re likely to see. But for now, if you’re involved in politics or business at a national or international level you have to assume someone is hacking you.
If not, you may want to take that as an insult.
[Image by Mike Mozart | Flickr]