A worker sweeps the foyer clean at CIA headquarters in Langley, Virginia.(Photo: DENNIS BRACK / POOL, EPA)
SAN FRANCISCO — The computer security world is bracing for the next bombshell from the massive Wikileaks document leak: disclosure of the actual computer code for the CIA's alleged cyberweapons.
On Tuesday, the website WikiLeaks published more than 8,000 of what it said were official documents detailing CIA tools for hacking into the software and systems of popular consumer technology, from Windows to iPhones to Android devices. The cyberweapons, the documents suggested, could even turn Samsung smart TVs into eavesdropping spies.
But the crusading site didn't release the code, saying it was postponing release “until a consensus emerges on the technical and political nature of the C.I.A.’s program" and how the cyberweapons could be disarmed.
Simply the existence of such tools, while not surprising to many in the security field, was enough to raise privacy hackles. Enticed by convenience, consumers are increasingly keeping Internet-connected super computers in their pockets, on their dressers and in their cars. These not only know their users' plans, tastes and locations, but also frequently are "listening" for a prompt.
The release of the codes, warn some security experts, would be the cyber equivalent of releasing a neutron bomb in the middle of Times Square.
Suddenly, sophisticated cyber weapons created by one of the world's most powerful intelligence agencies would be available to anyone, from small countries without their own state computer security apparatus to teen hackers in their bedrooms.
The possibilities are giving security experts the willies. Possible potential effects:
- difficult-to-detect eavesdropping software being planted on the phones of millions of users
- the ability to make smartphones running the Android operating system spy on the WiFi networks around them
- access to a program that sits quietly on a device until a specific event or action occurs, which launches it into send mode to a specific "listener."
“There are clear Pearl Harbor Day scenarios,” says Philip Lieberman, president of Los Angeles-based computer security company Lieberman Software. These could range from simple inconveniences — no email — to more troublesome things.
How troublesome? Take the oddball software update glitch in June that make Lexus radio and navigation systems inoperable. Now, consider — as the CIA did in a meeting in 2014, according to the WikiLeaks documents —if a hacker released a code that infiltrated and took over systems in such Internet-connected cars, one that couldn't be reset.
The prospect of what hackers could do with the code is "so mind-boggling that it’s difficult to categorize all the consequences,” says Robert Cattanach, a partner at international law firm Dorsey & Whitney and previously a trial attorney for the Justice Department. “As individuals, we would no longer have any reasonable expectation of privacy,” he said.
Even without the code, the WikiLeaks release is a treasure trove for hackers because simply knowing that something has been done gives them crucial clues about how to build the tools described.
With that in mind, big software companies such as Apple, Microsoft and Samsung are already looking into, and in some cases creating fixes for, these problems. Apple, in a late Tuesday statement, said it's already fixed many of the security issues detailed by WikiLeaks. Samsung said it was "urgently looking into the matter."
“If manufacturers aren’t scrambling now to build patches for these problems, they are being derelict,” says Herbert Lin, a senior research scholar for Cyber Policy and Security at Stanford University.
Code that doesn't get patched, or more likely devices whose owners neglect to update them, would remain vulnerable.
And if the code is released, it would turn the economics of hacking upside down. Where once those with the most resources, like the CIA, had the best code, now it would be available to everyone.
“Smaller countries and other hacking groups just became the benefactor of a massively-funded state level hacking team,” Eric Ahlm, a senior security researcher with Gartner.
Federal authorities on Wednesday launched a criminal investigation into the release of the CIA documents.
For consumers, there are two things they should focus on: "Patch their software when a patch is available and use two-factor authentication whenever available," said Paul Querna, chief technology officer at security company ScaleFT.
Living in a post-privacy world
If the documents are legitimate, as many cybersecurity experts believe they are, it paints an alarming picture of spy agencies more interested in stockpiling vulnerabilities for a future exploit than working with vendors to shore up vulnerabilities.
The escalating digital arms race comes at a time when President Trump has a contentious relationship with with the intelligence community and is in an antagonistic dance with the tech world over American jobs, tariffs and taxes. And it puts the president in a sensitive spot since he famously said, "I love WikiLeaks," for its role in publishing email from the account of Clinton campaign manager John Podesta.
"If the CIA knows of a specific exploit, chances are that the MI6, FSB, MSS and Mossad are aware of it as well," says Slawek Ligier, vice president of engineering at computer security firm Barracuda Networks.
CLOSE
WIKILEAKS RELEASES CIA'S CYBER TOOLKITFeds launch probe of WikiLeaks documents on alleged CIA hacking | 0:44
The Feds are opening up a criminal investigation into the latest document leak from WikiLeaks, while the FBI works to find the source of the leak. Veuer's Nick Cardona has the story. Buzz60
1 of 8
CLOSE
WIKILEAKS RELEASES CIA'S CYBER TOOLKITWikiLeaks data dump likely came from contractors | 1:25
In the wake of WikiLeaks’ massive document dump belonging to the CIA, Washington is scrambling to figure out the source. Nathan Rousseau Smith (@fantasticmrnate) has the latest. Buzz60
2 of 8
CLOSE
WIKILEAKS RELEASES CIA'S CYBER TOOLKITComey: Cyber threats against U.S. are 'enormous' | 1:17
At a conference on cyber security at Boston College, FBI Director James Comey said he plans to serve out his entire 10-year-term. He avoided discussing WikiLeaks or Russia, but said the cyber threats the nation faces 'are enormous.' (March 8) AP
3 of 8
CLOSE
WIKILEAKS RELEASES CIA'S CYBER TOOLKITWikiLeaks gives consumers pause about security | 1:58
Alexander Heid, a research executive with SecurityScorecard, examines the WikiLeaks disclosures, and gives consumers advice about internet security. His company monitors risk and gives security ratings. (March 9) AP
4 of 8
CLOSE
WIKILEAKS RELEASES CIA'S CYBER TOOLKITBrexit leader and Wikileaks founder meet in London | 0:39
Nigel Farage and Julian Assange meet at the Ecuadorian embassy in London. Veuer's Nick Cardona has the story. Buzz60
5 of 8
CLOSE
WIKILEAKS RELEASES CIA'S CYBER TOOLKITWikiLeaks dump claims to show CIA hacking tools | 1:55
WikiLeaks says documents it obtained reveal that the CIA targeted everyday gadgets such as smartphones and personal computers as part of a surveillance program. (March 7) AP
6 of 8
CLOSE
WIKILEAKS RELEASES CIA'S CYBER TOOLKITWikiLeaks reports 'largest ever' leak of CIA | 1:09
The website claims they have several hundred million lines of code from the CIA's hacking arsenal that includes damaging information. USA TODAY NETWORK
7 of 8
CLOSE
WIKILEAKS RELEASES CIA'S CYBER TOOLKITWikileaks releases thousands of documents targeting the CIA | 0:54
Newly released documents by Wikileaks shows the CIA used software to hack everyday devices. Veuer's Nick Cardona has the story. Buzz60
8 of 8
Last VideoNext VideoFeds launch probe of WikiLeaks documents on alleged CIA hacking
WikiLeaks data dump likely came from contractors
Comey: Cyber threats against U.S. are 'enormous'
WikiLeaks gives consumers pause about security
Brexit leader and Wikileaks founder meet in London
WikiLeaks dump claims to show CIA hacking tools
WikiLeaks reports 'largest ever' leak of CIA
Wikileaks releases thousands of documents targeting the CIA