A Few Observations on Wikileaks and Vault7: Hacking at the CIA

By Herb Lin
Wednesday, March 8, 2017, 10:36 AM

Nick Weaver wins the prize for rapid response, but a few additional observations might be helpful.

First, I echo Nick’s observation that it’s hardly a surprise that the CIA has a bunch of its own hacking tools. Indeed, if they didn’t, I’d say someone ought to be fired.

Nothing in the documents suggests how, if at all, any of them have been used. In particular, nothing released as yet indicates they have been used against Americans. And it’s the CIA’s job to gather intelligence from non-Americans. Whether you think that’s a legitimate mission is an entirely different issue than the release of the Vault7 documents.

The Wikileaks press release says that the CIA hoarded vulnerabilities rather than disclosing them, and thereby compromised the security of the affected devices. No evidence has emerged that the CIA planted vulnerabilities, so in fact, the actor most immediately responsible for compromising the security of the affected devices is Wikileaks itself. Wikileaks had the option of contacting vendors and notifying them privately so that they could patch the vulnerabilities—but they chose to announce them without giving vendors that chance.

Release of these documents will hurt the CIA’s cyber hacking efforts. But if vendors aren’t scrambling now to build patches for these problems, they are being derelict. My prediction is that the damage to CIA hacking capabilities will be confined to a quite finite window that should be getting smaller if the vendors are doing their fixit jobs now.

Wikileaks claims that the documents show the CIA violated a commitment “from the Obama administration that the executive would disclose on an ongoing basis—rather than hoard—serious vulnerabilities, exploits, bugs or "zero days" to Apple, Google, Microsoft, and other US-based manufacturers.” Hardly. The Administration never made such a commitment—rather, it indicated that the process would be biased towards disclosure, but that decisions on individual vulnerabilities would be made on a case by case basis.

As Wikileaks press release notes, the CIA didn’t break the encryption of Signal and WhatsApp—rather, it developed tools to bypass the encryption. That is, it found ways of getting the plaintext of messages before encryption occurred—which is what you would expect if the CIA had found ways to establish a presence on individual devices.

I await the next release of documents.