This morning, WikiLeaks posted a new cache of files, this time from the CIA, comprising more than 8,700 documents pertaining to the agency’s covert hacking program. This release, called “Year Zero,” is the first of multiple planned document releases. Among its contents are details of the CIA’s knowledge and exploits of “zero day” vulnerabilities, weaknesses that are unknown to the technology provider, and therefore ripe for abuse.
Among the software targeted were both major mobile operating systems, iOS and Android, and desktop-software Windows and macOS. By compromising phone hardware, the CIA was apparently able to bypass encryption on protected messaging apps, such as Signal and WhatsApp. (To be clear, there is virtually nothing Signal or WhatsApp can do themselves to guard against this vector of attack. If the devices are compromised, so is everything on it.)
Also compromised, according to the documents, were Samsung smart TVs. Using software code-named “Weeping Angel,” the CIA was able to turn the TVs into covert recording devices. The Internet of Things, which is already notoriously insecure, has already been compromised by U.S. intelligence.
But wait! There’s more! According to the records, the CIA has been hoarding zero-day vulnerabilities, rather than disclosing them to tech companies so that they can be patched. This is not particularly surprising — you can assume every intelligence agency does it. But that’s the thing: every agency, which means if the CIA knew about these exploits, you can bet other foreign and domestic actors did as well.
WikiLeaks claims that the exploits and documents have been circulating for a while now. “The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive,” they write. The danger now, as has become routine, is that we don’t know who else has them.