The inner workings of the CIA’s cyber-espionage operations were at risk of being laid bare on Tuesday, after WikiLeaks published what it claimed was the first part of a large trove of documents detailing the US agency’s techniques for hacking into smartphones, internet-connected TVs and other devices.
The documents purported to reveal a stockpile of malware used by the CIA to break into some of today’s most widely-used technologies, including phones and tablets running on Google’s Android operating system and Apple’s iOS. The tools included “Weeping Angel”, a piece of malware WikiLeaks said was developed with UK intelligence services that can turn Samsung’s “smart” TVs into living room spies listening in on their owners.
By taking control of smartphones in this way, WikiLeaks claimed the agency was also able to get around the protections built into encrypted messaging services like WhatsApp, Telegram and Signal, which have gained in popularity as many users have looked for stronger protection against prying eyes.
Tuesday’s release echoed the massive dump of National Security Agency documents that began in 2013. Those files, handed over to reporters by former NSA contractor Edward Snowden, caused an international political storm and exposed fissures between Washington and some of the largest US tech companies, which found their products had come under attack by their own government.
WikiLeaks claimed that the trove of CIA information it had obtained, which it called Vault 7, included “several hundred million lines of code”, including many of the agency’s cyberweapons. It published close to 9,000 documents and files on Tuesday, and said it would only reveal details of the malware and other cyberweapons after it had been “analysed, disarmed and published.”
“The archive appears to have been circulated among former US government hackers and contractors in an unauthorised manner, one of whom has provided WikiLeaks with portions of the archive,” it said.
Privacy campaigners immediately attacked the disclosures. “We’ve suspected since the NSA leaks that the US and other nationals have been building arsenals of malware,” said Peter Eckersley, chief computer scientist at the Electronic Frontier Foundation. “This is confirmation.”
The disclosures are likely to raise new questions about government use of so-called “zero day” exploits, or malware that takes advantage of previously unidentified flaws in common technology products.
Security experts warn that by using these tools for espionage or law enforcement, agencies like the CIA risk releasing powerful cyberweapons into wider use, helping criminals and terrorists.
The Obama administration promised to severely limit its collection of such tools after the Snowden revelations, keeping only a small, undisclosed number for national security reasons. WikiLeaks said the files it had obtained included “dozens of ‘zero day’ weaponised exploits.”
US tech companies were scrambling on Tuesday to understand the extent of the reported CIA cyber-arsenal and the risk it posed to users of their products. Two of the largest said they were still analysing the WikiLeaks files, while claiming that many of the zero-day weapons featured in the leaks were likely to be out of date.
We’ve suspected since the NSA leaks that the US and other nationals have been building arsenals of malware. This is confirmation.
The Vault 7 files date from 2013-2016, according to WikiLeaks, with the most recent cyberweapons targeted at Apple’s mobile operating system applying to version 9.2 of the software. This was superseded by a more up-to-date version of iOS last year and a large number of iPhone and iPad users update their software to the latest versions, potentially protecting them from older forms of malware. Many owners of Google’s Android devices, by contrast, use old versions of the software.
An official at another tech company pointed out that the WikiLeaks papers did not include any CIA claims to have broken the encryption used by the devices, or messaging apps. Mr Eckersley and others said this suggested that recent moves to protect users from spying by governments was proving successful, since the intelligence agencies were being forced to break into devices one at a time, rather than mounting a “dragnet” to catch large amounts of digital communications.
In a tweet soon after the release, however, Mr Snowden warned that the implications of the CIA hacking could still be serious. WikiLeaks’ discussion of Vault 7 “incorrectly implies CIA hacked these apps / encryption,” he wrote on Twitter. “But the docs show iOS/Android are what got hacked — a much bigger problem.”
The documents could stir up transatlantic political tension. One identifies the US consulate in Frankfurt as a centre for “Europe Engineering” and gives advice to American agents working there. If flying Lufthansa, they are told: “Booze is free so enjoy (within reason)!” They are also instructed to “breeze through German customs” by using the cover story that they are “supporting technical consultations at the consulate.”
Sample the FT’s top stories for a week
You select the topic, we deliver the news.