Calm down. Here's what you actually need to know about the WikiLeaks dump
On Tuesday, WikiLeaks published a massive trove of unverified documents it claims came from "an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence."
The documents, dated from 2013 to 2016 and dubbed "Vault 7" by WikiLeaks, describe powerful tools the agency has allegedly used to break into smartphones, computers and televisions.
SEE ALSO: WikiLeaks document dump alleges the CIA can hack almost everything
The revelations are juicy, but it will likely be days before the important details are parsed out. Here's what you need to know now.
Is the CIA hacking me?
Nope, probably not. While the CIA tactics described are certainly scary (especially because they exploit security vulnerabilities technology companies don't know about), you shouldn't freak out.
For one thing, while the Vault 7 documents describe precise techniques in detail, there don't appear to be details on their use against individual targets. Unless you're in some sort of underground smuggling ring, you're likely not being targeted.
Apps like Signal and WhatsApp that provide end-to-end encryption are still incredibly safe, and you should use them.
You should also be especially diligent about links sent to you via email. Don't click on anything until you're absolutely certain it's legit. And of course, use two-factor authentication whenever possible.
Was the CIA able to hack into apps like WhatsApp and Signal?
Despite some confusing tweets from WikiLeaks, it does not appear that the CIA's techniques cracked the extremely strong encryption used by apps like WhatsApp and Signal. Rather, the CIA has likely taken advantage of exploits that target the operating systems the apps run on—like Android and iOS.
WikiLeaks #Vault7 confirms CIA can effectively bypass Signal + Telegram + WhatsApp + Confide encryptionhttps://t.co/h5wzfrReyy
— WikiLeaks (@wikileaks) March 7, 2017
Claims that #Vault7 cracks Signal etc encryption or that Signal is safe.
Neither are true.#vault7 cracks Android/iOS, bypassing Signal etc.— WikiLeaks (@wikileaks) March 7, 2017
If your phone has been pwned, it doesn't matter how strong your encrypted chat app is. From what we can tell, there's nothing wrong with the encryption used by apps like Signal. These documents do not indicate that the CIA is intercepting messages sent via these apps.
Rather, they are using security vulnerabilities to break into the phones the apps are used on, as Edward Snowden himself pointed out in response to the document dump.
PSA: This incorrectly implies CIA hacked these apps / encryption. But the docs show iOS/Android are what got hacked - a much bigger problem. https://t.co/Bw9AkBpOdt
— Edward Snowden (@Snowden) March 7, 2017
What do the documents show the CIA hacked?
The first portion of "Year Zero," contains dozens of so-called "zero day" exploits developed to hack into Apple's iOS, Google's Android operating system, Microsoft Windows and Samsung TVs.
Zero day exploits are software vulnerabilities that are not known to the company that developed the software. In other words, WikiLeaks' documents show the CIA has been able to take advantage of loopholes that Apple, Google and Microsoft allegedly did not know existed in their own products.
That's likely to rock the tech world, because the government has promised to tell tech companies when they find problems in their software.
Wait, what's this about Samsung TVs?
Samsung smart TVs have special voice controls, whose security has been questioned before. According to the Vault 7 documents, the CIA had a specific exploit that targeted these TVs so they would look off but actually be on, with their microphones activated — essentially turning them into bugs. However, this required physical access to the TVs, since the exploit took advantage of a vulnerability in how the TVs accepted firmware updates via the USB port, and Samsung has subsequently patched it.
The CIA partnered with the UK's MI5 on the TV hack, giving it a nickname inspired by a Doctor Who monster: the Weeping Angels.
Why didn't the government tell tech companies they found problems?
If the documents are authentic, the CIA likely did not disclose the security vulnerabilities it described in order to preserve national security.
The agency probably wanted to keep spying using the loopholes it had found, rather than give the tech companies the opportunity to patch them up. But the Obama administration previously promised it would tell tech companies when it discovered issues.
After Edward Snowden leaked information about the National Security Agency's (NSA) hacking efforts, the Obama administration said it would disclose zero day vulnerabilities it discovered after 2010 on an ongoing basis through an administrative procedure called the Vulnerability Equities Process (VEP).
If these latest documents from WikiLeaks are authentic, it would indicate the government was actually hoarding the exploits, despite statements from officials indicating they were not.
In order to safeguard its hacking techniques, the CIA may have left major U.S. technology manufacturers like Apple in Google in the dark about security issues.
The U.S. government reports that it discloses 91 percent of newly discovered vulnerabilities. It's possible that the WikiLeaks trove of zero day exploits represents the 9 percent of loopholes the CIA doesn't disclose, or the government's self-reported figure could be inaccurate.
Google, Samsung and Apple did not return requests for comment Tuesday morning. A spokesperson for Microsoft said, "We're aware of the report and are looking into it."
WhatsApp declined to comment when reached but indicated it was looking into the information from WikiLeaks.
How did WikiLeaks get all these documents?
The most shocking revelation of the WikiLeaks dump so far is that the CIA allegedly "lost control of the majority of its hacking arsenal."
The agency's archive of hacking tools, according to WikiLeaks, was sent between government contractors and hackers in an unsecured manner. Along the line, someone released the massive set of tools to WikiLeaks.
For now, WikiLeaks hasn't published the cyber weapons themselves, so hackers and other people with bad intentions can't abuse them.
The organization said in a press release that it won't release them "until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should be analyzed, disarmed and published."
Are the documents real?
It is also entirely possible that the documents released by WikiLeaks are either fake or misleading. On first glance, they appear genuine.
What makes this look real?
Program & office names, such as the JQJ (IOC) crypt series, are real. Only a cleared insider could know them.— Edward Snowden (@Snowden) March 7, 2017
WikiLeaks documents, including a quarter-million diplomatic cables released by former Army intelligence analyst Chelsea Manning and thousands of documents taken from the National Security Agency (NSA) by Edward Snowden, proved to be real in the past.
"We do not comment on the authenticity or content of purported intelligence documents," a CIA spokesperson said in a statement.
"At first glance [the data release] is probably legitimate or contains a lot of legitimate stuff, which means somebody managed to extract a lot of data from a classified CIA system and is willing to let the world know that,” Nicholas Weaver, a computer security researcher at the University of California at Berkeley, told The Washington Post.
Even if the documents published are authentic, they could be presented in a misleading way. WikiLeaks also has full discretion to omit documents it does not want to publish.
If the leak is real, it could change how we think about the CIA.
The U.S. historically has built up its offensive cyberattack capabilities within the National Security Agency. The CIA has not traditionally had such capabilities or been thought to need them, but they may be increasingly necessary for its spying operations.
Given that the government hasn't commented it, it's possible the agency had no idea this information leaked and is trying to verify it all itself, which also suggests caution.
At the same time, we've known for years that agencies like the FBI have utilized hacking tools that have allowed them to break into cellphones, so it's not exactly shocking that the CIA could be doing the same.
Anything else I should know?
The CIA really likes bad memes, folks. Aside from documents, the WikiLeaks dump also included a ton of memes the agency hoarded. It's not entirely clear what they were used for, but they're a lot of fun to look at.
Especially those that hit just a little too close to home:
Image: The CIA I guess?
