This morning we awoke to news of Wikileaks releasing thousands of documents detailing the CIA and their involvement with hacking Android (and other OSes). Most of the mainstream media sites picked it up, which Wikileaks loved of course, but none of them put it into context. Here is the context — the documents themselves mean nothing.
I follow a lot of white-hat security “hackers” on Twitter and reading over my thread made me realise that this is all sensationalism by Wikileaks and the mainstream media.
WikiLeaks' #Vault7 reveals numerous CIA 'zero day' vulnerabilities in Android phones https://t.co/yHg7AtX5gg pic.twitter.com/g6xpPYly9T
— WikiLeaks (@wikileaks) March 7, 2017
Their press release also does it’s best to make their leaks seem relevant:
A similar unit targets Google’s Android which is used to run the majority of the world’s smart phones (~85%) including Samsung, HTC and Sony. 1.15 billion Android powered phones were sold last year. “Year Zero” shows that as of 2016 the CIA had 24 “weaponized” Android “zero days” which it has developed itself and obtained from GCHQ, NSA and cyber arms contractors.
These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.
Looks scary right? Call them zero-days and everyone panics. A zero-day is a vulnerability or exploit that is unknown to the software manufacturer or to antivirus vendors. According to well known Android security researcher, Jon Sawyer, a few of the Android bugs are known already (not zerodays in other words) while others appears to be old. Via his Twitter account he goes on to say that the material released by Wikileaks is “OLDDDDDDDDDDDDDDDDDDDDD and misrepresented”. Nothing leaked by Wikileaks is significant….. anymore.
If you are indeed interested in reading some more regarding the truth from security researchers about this leak I suggest you head to the Erratasec website. Of note is that the CIA are not hoarding zero-days and what they are doing is straightforward hacking using exploits that can be found on the Internet if you know where to look.
The leaks do attribute some known viruses as having originated with the CIA and now anti-viruses can be created to defeat the CIA efforts. What we should be worried about is in the following response from Jon Sawyer:
Either WL's data is out of date, or US Gov capabilities suck. Which do you think is more likely lol
— Jon Sawyer (@jcase) March 7, 2017
So while the leaks mean nothing, as all of them are known and most have been plugged already, it signals something else — that governments are actively attempting to circumvent mobile operating systems around the world. I doubt this comes as much of a surprise to most of you.
While some people say that they have nothing to hide and it does not worry them, you can be sure that if governments are doing this then there is no doubt there are people using the same exploits for nefarious reasons. Be it your personal information, your bank details or something else, no one wants an unknown entity rifling through the data on their phones.
How can you prevent this from happening? Buy phones that receive regular security updates. Google are patching security holes every month in Android and roll them out to their devices that same month usually. Can the same be said for all manufacturers? Unfortunately not. If this concerns you find out how well a company performs with their security updates when you consider your next purchase.
The other thing you can do to help prevent yourself being a victim of an attack is to only install software from the Google Play Store. Google hunt through each and every app on the Play Store to prevent them from infecting your phone. Common sense is the name of the game.
So while the sky is NOT falling and Wikileaks’ trove of materials released today are old, outdated and no longer significant by themselves, it signifies a greater problem we should all be aware of — cybersecurity. Be safe with your use. Install apps only from trusted sources such as the Google Play Store and buy phones that receive regular security updates.
Hmmmm, you seem to have missed the entire significance of the leak. Sure, no new existing vulnerabilities were found but the agency knew and exploited vulnerabilities it found, for a prolonged period of time, without disclosure. This in turn exposed users of the devices or operating systems to others potentially exploiting said vulnerabilities. Yes, the typical person does not need to worry about government spooks spying on them, but these tools, in the wrong hands can wreak havoc and if this leak exposes anything it is that even the agency can’t contain their own cache of tools. As for patching,… Read more »
I don’t understand the demand for the CIA to disclose it uses techniques that black hat hackers have been using for many years. Know what’s on your phone, look out for unusual behaviour and if in doubt, factory reset. Do regular scans with free tools to spot malware and unsafe apps. Even the google play store contains dangerous apps. As for patching, just how many vendors continue to patch devices that have been discontinued for more than 6-12 months? All google handsets. LG and HTC also have form here. The LG G4 is now 2 generations old (4 generations if… Read more »
We already allow Google and Facebook employees to read our gmail and private FB accounts. They know more about me than I know myself. Nothing new here. Move along.
I don’t think Wikileaks is purporting to publish the latest batch of exploits fresh out of the CIA/NSA/whoever playbook. It’s more creating the awareness that this sort of stuff goes on.
I’d like to add that if security concerns you, you should always buy the generic country variant of a phone rather than going through a carrier. The country variant will generally receive updates before any carrier variant does.
Very few manufacturers provide monthly patches. Samsung seems to for most models, and Sony isn’t bad. However, the only way I’ve found to receive prompt and regular patches is to run LineageOS or MIUI on my phones. Yes, I know people hate MIUI, but Xiaomi’s dev ROMs are released weekly and are patched. Also, whilst devices rarely receive a bump in Android version, they receive MIUI and security updates for years. Google is the only other manufacturer to do this.