Wikileaks reveals CIA exploits gaping holes in all popular OSes and AV tools

Earlier today, Wikileaks published another huge data dump. Called "Year Zero", this is the first release in a broader "Vault 7" series that reveals how the CIA develops and uses cyber weapons. This release is reportedly the largest ever publication of confidential CIA documents. While I don't usually cover these leaks, this one is of high interest to the computer industry as it concerns the secret hacking program of the CIA.

Wikileaks claims the CIA has an arsenal with dozens of zero-day weaponized exploits against a wide range of popular operating systems, including Apple iOS, Mac OS X, Google Android, Linux, and Microsoft Windows.

The CIA reportedly dedicates disproportionate resources on iOS because the iPhone is very popular among social, political, diplomatic and business elites. It also has a wide range of exploits for Android, in 2016 the agency reportedly had a total of 24 "weaponized" zero-day exploits for Android phones. By directly targeting the operating system that runs on smartphones, the CIA is able to bypass the encryption of popular messaging tools like WhatsApp and Telegram.

Furthermore, the leaks also reveal the agency has developed succesfull attacks against most well known anti-virus devices and that it has a branch that develops attacks against Internet infrastructure like routers and webservers. Besides smartphones, the CIA also targets other consumer electronic devices. For example, it reportedly has an exploit that can turn Samsung smart TVs into secret microphones.

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

"Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.

After the Edward Snowden leaks about the NSA's hacking and spying program, the Obama administration made a commitment that serious vulnerabilities would no longer be hoarded. The leaks reveal the CIA breached this commitment and did not disclose critical security vulnerabilities, thereby leaving millions at risk of getting hacked by cybercriminals or foreign intelligence agencies:

As an example, specific CIA malware revealed in "Year Zero" is able to penetrate, infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts. The CIA attacks this software by using undisclosed security vulnerabilities ("zero days") possessed by the CIA but if the CIA can hack these phones then so can everyone else who has obtained or discovered the vulnerability. As long as the CIA keeps these vulnerabilities concealed from Apple and Google (who make the phones) they will not be fixed, and the phones will remain hackable.

The same vulnerabilities exist for the population at large, including the U.S. Cabinet, Congress, top CEOs, system administrators, security officers and engineers. By hiding these security flaws from manufacturers like Apple and Google the CIA ensures that it can hack everyone, at the expense of leaving everyone hackable.

The source of the leak hopes this revelation will spark a public debate about the security, creation, use, proliferation and democratic control of cyberweapons. A full summary can be read at Wikileaks.