A massive compromising leak of some of the CIA’s closely kept secrets stored in a repository known as “vault 7” has hit the wire on March 7th. This has naturally lead to a long series of panics on social media and a slight bit of eyebrow-raising as CNN curiously fails to report on it at this time despite the story being picked up by major outlets such as Reuters. Documents within Vault 7 that are visible on WikiLeaks contain a large database of hacking techniques and exploits that the agency had collected and discovered from 2013 to 2016. While all of the organizations that revealed the news have made this fact the center of their discussions, the detail that they entered into was tepid at best.
Surely you have a lot of questions, and perhaps we’ll be able to answer them as well as provide information that has been lacking from the repeated reports of the incident.
What Was In Vault 7?
If you’re extraordinarily curious (and since the contents of the leak were previously made public) you can find all the documents here.
It may be worth mentioning that this leak probably isn’t the last we will see from Vault 7. Julian Assange typically holds onto information and releases it in chunks, probably so that they can be analyzed and the news cycle surrounding the incident is a continuous stream rather than one “bombshell” story that dies in a few days. This is pure speculation, so take it with a grain of salt.
This particular leak is over 8,000 pages long in total, so expect details to be fuzzy over this time period until we’ve analyzed the documents more closely.
As for the content of the documents, there are several different categories and subcategories of information released within the collection. Most of them have to do with the exploitation of a variety of operating systems, including Linux, Mac OS, Windows, Android, and iOS. More concerning, of course, are projects like Weeping Angel. After poring over the contents, it seems to take advantage of a vulnerability in Samsung F8000 television sets, putting them in a suspended state with the microphone still on and listening in on conversations that happen in the room where a TV is present. Another project named HarpyEagle was started with the purpose of gaining root access to any Apple Airport Extreme (Apple’s wireless routers).
Should I Panic?
In a way, sort of. Most of what we’re seeing in Vault 7 are references to exploits and locations of tools on the web that simplify these tasks. Apple has reached out to TechCrunch to tell them that “many of the issues leaked today were already patched in the latest iOS” (full statement here). But then they went on to say that they will “continue to work rapidly to address any identified vulnerabilities.” This seems to insinuate that there may still be vulnerabilities that haven’t been patched.
Also, while we’re still talking about iOS, it is certainly worth noting that this statement does not take into account that Vault 7’s exploit list is neatly organized by operating system version (you can see what we’re talking about by looking at the list right here). So, if you have an older phone that cannot run a newer version of iOS, that phone will be forever vulnerable to what has just been revealed in public.
We have reached out to Google for a statement regarding Android vulnerabilities found in Vault 7 and have not yet received a response. Their blog at the time we are writing this has no statement for us to forward to you regarding these leaks.
For the moment, all we can say is that any enterprising hacker can make use of this information to take advantage of vulnerabilities currently present in systems both old and new.
On the other hand, it’s probably safe to bet that we’ll all live through this without any major “casualties,” though this isn’t the same “background noise” that Cloudbleed or Heartbleed were. Although “catastrophic” may be too dramatic of a term to describe the impact these leaks have, it is certainly cause for general concern no matter what device or operating system you use. In short, hacking is about to get much more interesting.
What To Do In These Situations
Unfortunately, there’s not much you can do individually to stop your devices from being vulnerable to the exploits revealed in this leak. Your intimate data, on the other hand, can be protected if you can air-gap it. By storing your most sensitive information in a computer that is not connected to the Internet, you make it immune to any remote interference. As for your smart devices in the home, you should cut off their power using an extension cord with a switch after you’re done using them if you’re concerned about surveillance. Make sure that every operating system you use has every update possible installed and wait for further updates as developers continue to address the issues that were just revealed.
If you have any other words of advice regarding the nature of these leaks, go ahead and spill them out in a comment!