What do I need to know about the CIA's hacking programme?

WikiLeaks has released what it said were thousands of documents that described internal US Central Intelligence Agency discussions on hacking techniques.
WikiLeaks has released what it said were thousands of documents that described internal US Central Intelligence Agency discussions on hacking techniques.PHOTO: REUTERS

WASHINGTON (Reuters, NYTimes) - WikiLeaks, the website that specialises in exposing secrets, has released what it said were thousands of documents that described internal US Central Intelligence Agency discussions on hacking techniques it has used to circumvent security on electronic devices.

WikiLeaks called the documents Vault 7, and they lay out the capabilities of the agency's global covert hacking programme.

Q: Are the documents authentic?

A: It appears at least some are real. While the CIA has declined to comment, independent cyber security experts and former intelligence agency employees who have looked through them say that they appear to be authentic, citing code words used to describe CIA hacking programmes.

Q: What is the CIA programme?

A: By the end of 2016, the CIA program had 5,000 registered users, including government employees and contractors. And they had produced more than a thousand hacking systems. The agency's arsenal of malware, the documents indicate, included an array of malware ranging from viruses to clandestine "zero day" vulnerabilities in the software of major companies. The files have circulated among former US government hackers and contractors in "an unauthorised manner, one of whom provided WikiLeaks with portions of the archive," WikiLeaks said.

WikiLeaks said it was publishing the documents while redacting and anonymising some passages, including the names of "tens of thousands" of CIA targets.

WikiLeaks said it was not distributing "armed cyberweapons".

Q: What is new about the CIA programme?

A: Using malware to hack into devices ranging from smartphones to webcams has been going on for years. Sometimes the intent is to steal information - say, names, addresses and credit-card numbers for identity theft and fraud. Sometimes the goal seems to be to create havoc.

But the CIA programme seems to have been particularly sophisticated, far-reaching and focused on surveillance. Just how innovative the individual software techniques were will not be known until independent computer security experts and scientists at the companies whose software was probed can examine the malware and tactics involved.

Q: How vulnerable is my smartphone?

A: The software targeted by the hacking program included the most popular smartphone operating systems: Apple's iPhone and Google's Android. The CIA hacking initiative had a "mobile devices branch", which developed an array of attacks on popular smartphones to infect and extract data, including a user's location, audio and text messages, and to covertly activate a phone's camera and microphone. Apple's iPhone software, according to the documents, was a particular target, including the development of several "zero day" exploits - a term for attacking coding flaws the company wouldn't have known about.

Though Apple has only 15 per cent of the global smartphone market, the intensive CIA effort was likely explained by the "popularity of the iPhone among social, political, diplomatic and business elites." Finding these vulnerabilities could in theory allow the spy agency to circumvent the kinds of security that stymied investigators who wanted to gain access to the password-protected iPhone of one of the shooters in the 2015 attack in San Bernardino, California.

Google's Android, the most widely used smartphone operating system, seemed to have received even more attention. By 2016, the CIA had 24 weaponised Android "zero day" software programs.

Q: Did the CIA directly target encryption software?

A: The CIA focused on smartphone operating systems in large part to intercept messages before they could be encrypted, according to the WikiLeaks documents. So by targeting the phone's underlying software, the CIA was looking to bypass the encryption of WhatsApp, Signal, Telegram, Weibo and other smartphone communications applications.

Q: The documents suggest that the CIA can access information in encrypted messaging apps like WhatsApp and Signal. I thought they were safe from even government spying?

A: No system is perfect. The documents describe ways to get information in those apps on Android devices, but only after gaining full control of those phones. Reuters has not found evidence in the documents released by WikiLeaks that the CIA had figured a way to break the encryption in those apps.

Q: How can you hack a TV?

A: WikiLeaks said it identified a project known as Weeping Angel where US and British intelligence agencies developed ways to take over Samsung smart TVs equipped with microphones, forcing them to record conversations when the device appeared to be turned off.

Q: Were other kinds of devices targeted?

A: The CIA also targeted Microsoft's Windows personal computer software, other internet-connected computers, and home and industrial devices running the Linux operating system, according to the documents.

And in October 2014, according to the documents, the CIA was exploring technology to penetrate the vehicle control systems of cars. The documents do not detail the goal of the vehicle hacking programme, but WikiLeaks speculated that it would "permit the CIA to engage in nearly undetectable assassinations."

Q: What should I do if I'm worried?

A: Most people do not need to worry about being targeted by intelligence agencies. But everybody should stay on top of software patches so all their computers, mobile phones and other connected devices are running software with the latest security updates. Consumers should balance security concerns with their need to use smart devices.

Q: Is this as big as the leaks from former National Security Agency contractor Edward Snowden?

A: The Snowden leaks revealed that the NSA was secretly collecting US call metadata on ordinary Americans. The materials released by WikiLeaks on Tuesday did not appear to reveal the existence of any unknown programmes. Instead they supplied details on how US intelligence agencies work to discover and exploit security flaws to conduct espionage.

Q: If the documents are accurate, did the CIA violate commitments made by former President Barack Obama?

A: In 2010, the Obama administration promised to disclose newly discovered vulnerabilities to companies like Apple, Google and Microsoft. But the

WikiLeaks documents indicate that the agency found security flaws, kept them secret and then used them for surveillance and intelligence gathering.