Some questions and answers after the WikiLeaks dump on CIA discussions about hacking techniques it used between 2013 and 2016.
Q: What did we learn about the CIA's hacking program?
A. WikiLeaks published documents that it says describe CIA tools for hacking into devices including mobile phones, computers and smart televisions.
Q: Are these revelations new?
A: While the specific details are new, it is well known in the cyber security community that intelligence agencies are constantly trying to leverage flaws in technology products to conduct espionage.
Q: The documents suggest that the CIA can access information in encrypted messaging apps like WhatsApp and Signal. I thought they were safe from even government spying?
A: No system is perfect. The documents describe ways to get information in those apps on Android devices, but only after gaining full control of those phones. Reuters has not found evidence in the documents released by WikiLeaks that the CIA had figured a way to break the encryption in those apps.
Q: Are iPhones also vulnerable?
A: The documents discuss ways to get into iPhones as well. One appeared to show a list of Apple iOS security flaws purchased by US intelligence agencies so they could gain access to those devices.
Q: What should I do if I'm worried?
A: Most people do not need to worry about being targeted by intelligence agencies. But everybody should stay on top of software patches so all their computers, mobile phones and other connected devices are running software with the latest security updates. Consumers should balance security concerns with their need to use smart devices.
Q: What did we learn about how the CIA may try to make American hacking look like the work of hackers from other countries like Russia?
A: The CIA has a library of attack code taken from multiple sources and sorted by function, including a program from a Russian criminal kit that permits spyware to survive rebooting and a data-destruction tool lifted from a suspected Iranian operation. One purpose of such a collection is to avoid having to write programs from scratch, while another is to confuse anyone who discovers the malware in action.
The documents released so far do not show that the CIA set out to deceive victims into believing they had been hacked by someone else, but it suggests that the agency was capable of doing so if it wanted.
Q: Is this as big as the leaks from former National Security Agency contractor Edward Snowden?
A: The Snowden leaks revealed that the NSA was secretly collecting US call metadata on ordinary Americans. The materials released by WikiLeaks on Tuesday did not appear to reveal the existence of any unknown programs. Instead they supplied details on how US intelligence agencies work to discover and exploit security flaws to conduct espionage.
Q: How damaging is this revelation to US intelligence?
A: US intelligence officials say the damage is limited because much of what was published is old, a number of the vulnerabilities in smart TVs and other devices have been known for at least two years and many have been patched. The breach was discovered late last year according to US officials and most or all of the tools Wikileaks published are no longer in use.
Q: How did WikiLeaks get the information?
A: Unclear. Someone inside the agency may have leaked the information. Or, someone outside may have figured out a way to steal it. US officials told Reuters that contractors were the likely source for the leak.
Share
