Upon initially reading this story on MacRumors, I developed some mixed feelings. Admittedly, it is not entirely surprising that the CIA has an arsenal of tools and exploits pertaining to mobile devices. It was more shocking to learn that WiFi-connected devices such as smart TVs were also targeted, as reported by CNN. The existence of millions of lines of code relating to engineered malware, viruses, and trojans is concerning. Now that the Vault 7 leaks have thrust this information "into the wild," there are major consequences to consider.
Despite having confirmed that the CIA engages in surveillance, making the entire hacking arsenal of the Agency accessible can introduce major challenges in safeguarding individual privacy and data security. This rings true not only for individuals, but for high-value targets like government officials.
By its very nature, software can never be perfect - it is coded by human hands, and therefore will always contain some shortcomings. Often, these shortcomings can manifest in the form of security flaws; both white hat and black hat hackers seek to uncover or exploit such vulnerabilities. As one might expect, these operations can be either minuscule or grand in scope. The latter category, unsurprisingly, applies to governments and their respective agencies. However, certain conditions can apply - namely whether hacking requires physical access to the device, or can be performed remotely.
Samsung was alerted to one such vulnerability in 2015, according to CNN, which allowed a hacker with physical access to the device to trigger a "fake off" mode. From here, smart TVs could be used to spy on targets via recording audio in the immediate area. In addition, Samsung was at the center of another security risk; it was discovered that smart TVs could once again be hacked. However, this breach could be executed remotely - and also activated the TV's camera without alerting the owner.
As CNN clarified, the CIA documented both vulnerabilities in their project dubbed "Weeping Angel."
Apple reporting site MacRumors emphasized that the compiled code was engineered specifically to affect iPhones and iPads, The overwhelming bulk of the Agency's efforts were focused on gathering, developing, and implementing iOS exploits. WikiLeaks pointed out that the CIA placed a "disproportionate focus" on Apple's popular mobile devices. The organization expanded further by saying:
It is unclear whether or not these vulnerabilities are being used to conduct both foreign and domestic espionage. There exists an interesting contrast between domestic and international market share. According to data provided by Kantar Worldpanel ComTech (reported via 9to5Mac), iOS adoption has been growing in the United States. From November 2015 to November 2016, Apple gained 6.4% in market share. The large majority of these gains occurred alongside declines in Android popularity.
What does this mean? The market for Apple's handsets is surging in popularity. If the iOS platform reaches more and more hands, that expanded user base offers greater opportunity for breaches. In addition, iOS has been well-known for its enhanced security in comparison to other operating systems. Given that vulnerabilities are tougher to find, it seems iOS is the next nut to crack in terms of monitoring and seizing sensitive user data.
That reason is why major iOS vulnerabilities fetch such large sums - supported by Israeli company Cellebrite's recent announcement that a yearly subscription to their iOS data extracting service costs $250,000. At a deeper level, core exploits in the iOS platform can be auctioned for even more. These fees are typically affordable to high-profile buyers, such as national governments and their agencies. Following the San Bernadino shooting, the FBI brokered a deal to purchase Cellebrite's tool to aid with their investigations.
WikiLeaks made another important note: in the aftermath of the Snowden leaks, a collection of major technology companies approached the Obama Administration to discuss data security. By the conclusion of those talks, the Administration agreed to release discovered exploits and bugs to those companies. This ensured that vulnerabilities were patched, and that crucial security patches were implemented before hackers could capitalize. As MacRumors pointed out, this agreement encompassed all agencies of the U.S. government. When Vault 7 was released, it became clear that the CIA did not abide by such agreements.
Where do we go from here? Per CNN's report, Dan Tentler - founder and CEO of the security firm Phobos Group - pointed out that many of the vulnerabilities are years old. Accordingly, many of them have been public for quite some time. Apple released a statement claiming that many of the Vault 7 exploits have already been patched. However, many is not all, and there is still some work to be done.
While the CIA in many instances has taken public knowledge to assemble their toolbox, Tentler declared that "it makes sense to take what's public already, and build on top of that." Public research could in fact constitute a jumping-off point in developing further surveillance tools. Giving the current political climate, there is some doubt regarding whether the Trump Administration would adhere to Obama's former mandate. Whatever the case, people need to remain aware that their information is potentially vulnerable. Furthermore, the agencies created to protect us are culpable should they use such tools against the American public.
Public monitoring is a slippery slope, and abuses of power can become more commonplace if we normalize the existence of the "surveillance state."