Analysis

Why the WikiLeaks Bombshell Looks Like a Huge Deal, but Actually Isn't

As time passes, it turns out that that many of the fascinating disclosures in 'Vault 7' are only smoke and mirrors.

CIA headquarters in Langley, Virginia, April 13, 2016.
Carolyn Kaster/AP

WikiLeaks dropped a bombshell on Tuesday, consisting of thousands of documents that reveal the entire cyberwar arsenal at the CIA’s disposal. Also disclosed were details of the internal structure of the organization’s cyber warfare units, including the fact that 5,000 people at the CIA are involved in the development of offensive tools directed at a host of platforms and software. Moreover, these documents reveal that the American consulate in Frankfurt is an undercover cyber espionage base, known among cognoscenti as the Center for Cyber Intelligence in Europe.

At first glance this would appear to be a huge deal, but as time passes it turns out that several of these fascinating disclosures are actually only smoke and mirrors – many of these revelations aren’t all that new or earth-shattering from a technical standpoint – they appear to be much more serious than they really are.

1. Are WhatsApp and Facebook Messenger no longer secure following these disclosures? On the contrary

Some of the early reports of the leaked information seemed to indicate that the CIA had managed to somehow crack Signal, an encrypted app that was developed by a non-profit organization called Open Whisper Systems. The app is reaping much praise from cyber security experts – the encryption protocol underlying this app also serves Google’s Allo, WhatsApp and Facebook Messenger.

What the WikiLeaks announcement says is that if the CIA manages to break into a mobile phone it can bypass the encryption used by WhatsApp, Signal and others. This is not news to anyone. The idea behind these apps is to protect your messages on their way from your device to your recipient. If your phone is broken into and full consent is obtained, the game’s over. The attackers can see your messages before you send them or after you receive them.

Many experts were quick to point out that in fact the information published by WikiLeaks proves the exact opposite of what the first impressions implied: Encryption works! These apps can help you protect yourself.

This obviously requires that your mobile device is protected and up-to-date, since taking control of it enables it to be bypassed. Nevertheless, many have noted that if the CIA or NSA really have you in their sights, most likely they will somehow get into your phone.

2. Smoke and mirrors

Apparently, there is much real information in these leaks but the emphasis on bypassing Signal was not the only problem with the WikiLeaks report. Many cyber security experts responded by saying that there were no revelations of great technical innovations, and that much of the story was artificially inflated. A security expert told the Wall Street Journal that this was a much more serious leak than the ones perpetrated by Snowden, but so far it’s hard to believe this.

Tarah Wheeler, a senior hacker at Symantec, and Dr. Sandy Clark from the University of Pennsylvania wrote a joint article saying that these revelations are far less meaningful than the information exposed by Snowden.

WikiLeaks mentioned more than 1,000 zero-day software holes, a staggering number of vulnerabilities (Stuxnet used a small number of such holes). Actually, what is 0-day? This is a flaw in some software-related technology that, when discovered (on 0-day) by cyber security experts it has already been utilized for malevolent purposes by someone.

There is currently some vigorous trading of information about such holes, some of it more legitimate than others. Companies such as Google and Facebook offer cash prizes (called Bug Bounty) to external hackers who find security flaws in their operations, in order to ensure that they receive such information before others who may want to use these holes to the detriment of the company and its users. These prizes may amount to thousands of dollars or more. Companies that develop offensive espionage tools also offer prizes for detecting such flaws, and they have deep pockets as well, sometimes much deeper ones.

Such a large number of holes must have required thousands of hours of research, but experts who have gone over the report note that many of these defects were already detected in older versions of operating systems such as Android 4. These breaches can easily be addressed using free and accessible solutions. The report may be referring to relatively older hacking software. Cyber security expert Robert Graham noted that the WikiLeaks documents actually contained very few 0-day breaches.

Claims of tools that allow the bypassing of what is called an Air Gap – which sound quite bombastic – actually refer to a combination of hacking software that affects USB drives and CDs for installing software.

For example, the Weeping Angel software which enabled the conversion of a Samsung TV into an espionage tool serving the CIA required the physical installation of a USB in that television. The report about these TVs is but part of a larger trend in the Internet of Things that technology companies have been vigorously promoting in recent years, many times not considering the extensive security problems that come with the new technology. We’ve recently heard about web-connected dolls which threatened the privacy of children and their parents, leading to shocking leakage of information without the hackers needing to be anywhere near the dolls.

WikiLeaks also noted attempted break-ins into smart cars, which could allow the CIA to take over systems in such cars, enabling the kind of assassinations which hitherto could only be seen in James Bond movies. However, the document didn’t say that the CIA had actually succeeded in taking over such cars, whereas some independent researchers have succeeded on occasion in finding breaches that would allow penetration and a taking-over of such cars, including controlling the brakes.

In summary, many of these impressive break-ins are much less impressive than it would seem at first glance. There was nothing technically new or exciting in these leaks.

3. The (maybe really) good news

Cryptography expert Prof. Matt Blaze and others have noted that according to what has been released there is some good news as well: Encryption works!

Contrary to the revelations made by Snowden regarding the NSA and its operations, in this case there is no large-scale gathering of information from millions of citizens in the hope that with enough computing power, advanced software and a lot of luck a terrorist needle may be found in enormous haystacks. Rather, this is a focused attempt at penetration for specific purposes in order to obtain high-quality information.

In other words, if the NSA is Tolkien’s dragon Smaug, sitting on a mountain of digital gold, the information revealed so far makes the CIA look more like Bilbo the dwarf. They both quietly penetrate their objective for specific purposes, gathering specific information.

This is obviously a very simplistic analogy, and it’s likely that if any organizations were in the CIA’s sights, it would have done whatever possible to gain access into the devices of anyone in those organizations. The main point is that it didn’t necessarily do so (judging by the leaked information) by violating the privacy of millions of citizens in search of some terrorist threat.

4. It all depends on the target

The technology mentioned in the WikiLeaks document can do many things. The main question is against whom this technology is used. Is it used for wholesale collection of data, or is it directed against individuals? If so, who are these individuals?

There may be a truly great message here. As increasing numbers of services become encrypted, the abilities of agencies such as the CIA and NSA to collect huge piles of data are diminished. For example, following great advances at Google, it was reported recently that more than half of online websites use the HTTPS protocol, which is encrypted. This makes it difficult for hackers to follow the online traffic of millions of people, to extract it and try to tease out some bogeyman.

Many experts have commented over the last 24 hours that we actually are of no interest to the CIA or the NSA. This is inaccurate. That is, “we” don’t interest them, assuming we belong to the mainstream. However, by analogy (hypothetically? One wishes!) to Israel: Is an Arab student who posts a furious condemnation of the police for its conduct in Umm al-Hiran part of this “we”? What about his friends on Facebook or his family?

This is one more reason why encryption is so important – it makes it harder to criminalize entire populations.

5. Where is the actual software?

WikiLeaks reports that the CIA “lost control” of its arsenal of malware, but the source code for the software was not given, as were links to these files. So where is the software? Does “loss of control” mean that only WikiLeaks obtained the CIA’s software? Did the Russians or Chinese get their hands on it too? Is it being sold for tidy sums on Darknet? We don’t know.

6. Why is this important?

Firstly, even if these aren’t the most advanced programs one can find, if this is a zero-day event it will take some time until all the hacked devices are appropriately patched again. Independent hackers or very different organizations will be only too happy to get the CIA’s new toys that will help them take some shortcuts.

One of the interesting (though not surprising) revelations in the WikiLeaks documents relates to the CIA’s UMBRAGE group. This highlights the emphasis put by spy agencies on one of the toughest aspects of cyber warfare, that of attribution. Is it possible to gather enough evidence in order to prove that a particular agency is behind any cyberattack?

This is a critical question in a world in which a war can break out due to hacking some server or computer on the other side of the globe. For example, did Russia really hack the computers of the Democratic Party? American intelligence agencies said so unambiguously, but the proof of this, as shown to the public, was not clear cut.

According to the leaked document the UMBRAGE group collected attack software used by other countries so that the CIA could conceal its own tools, developed using the code and methods of foreign agencies. Robert Graham says that these claims are total nonsense.

These leaks, including the ones relating to the malware arsenal (if this is indeed what transpired) will allow other agencies to do exactly the same thing, while blaming the CIA.

7. The return of the Silicon Valley woes

WikiLeaks and other media noted that the leak reveals that despite the efforts of the Obama administration to repair its relations with the software sector following revelations made by Snowden, it appears that spy agencies continued to ignore the demand to collaborate in exposing serious hacking, keeping the information to themselves.

8. Why is this information coming out now?

WikiLeaks has not been viewed as an innocent player for some time now, and many people believe that in one form or another it is collaborating with Russia. This is the Russia which spy agencies and the American political system are accusing of hacking into the Democrats’ computers, and of attempting to sway elections and influencing the Trump administration.

People making such accusations claim that criminalizing revelations regarding CIA capabilities are a great way of deflecting the spotlights somewhere else, while evoking doubts concerning allegations against Russia. For example, WikiLeaks noted that the CIA now has the ability to take over presidential Twitter accounts.

Marketing these leaks under the caption “The CIA can penetrate any device or software” greatly helps in promoting the idea that maybe it wasn’t Russia, and that it may have been a “False Flag” operation carried out by the “deep state,” the new code-word used by the president’s supporters angry with administration officials who are not falling into line according to his demands.

Are these accusers correct? It’s hard to know. What is clear is that there is a huge gap between the marketing hype and media attention, and the actual data.