WikiLeaks has again dumped a load of classified information, and if verified, it tells the world about the CIA’s hacking capability. As always, we’re focused on the tech, so here is a brief list of IoT vulnerabilities revealed by the WikiLeaks info.
On Tuesday, March 7th, WikiLeaks released a set of information that they call the Vault 7 “Year Zero” Leaks. The leaks revealed the details of a vast assortment of bugs created by the U.S. Central Intelligence Agency (CIA) referred to as ‘zero days‘ that permeated multiple devices, especially those that rely on the infrastructure present within the Internet of Things.
Breaking: According to AP, WikiLeaks’s Julian Assange said today that WikiLeaks will help tech firms defend their products against CIA cyberespionage tools.
In an online press conference today, Assange said, “We have decided to work with them [tech firms], to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out.”
He added that once tech companies had updated their products with new defensive capabilities, WikiLeaks will release the rest of the technical information to the public.
You’ll find within our list that many popular tech devices released over the last few years are vulnerable. As a result, the Vault 7 leaks can be a good thing for us even if it’s a dreadful thing for the CIA.
On that note, Julian Assange also added today in his press conference, “This is a historic act of devastating incompetence. WikiLeaks discovered the material as a result of it being passed around.”
The microphoned bugs from spy movies are quaint and very low-tech by today’s standards. Why risk wire-tapping something when you can turn phones, computers, and televisions into remote listening stations, after all?
Here at Edgy Labs, we recently put out an article about how the North Korean government had the ability to hack their own electronic devices. If the North Koreans can do it, just imagine what the CIA can do.
Plucked fresh from the Vault 7 leaks, here are 8 IoT vulnerabilities that will get you started:
1. Android Phones
Google’s Android OS is used on most of the phones in the world, and according to Vault 7, there were 24 ‘zero days’ ready for the Android platform as of 2016. I have to give some of these bugs credit for creative names such as RoidRage, which comes complete with the Anger Management plugin, even if the idea of turning most cell phones into remote microphones is terrifying.
2. Apple OS
Apple’s proprietary iOS platform may not boast as many phones as Android, but its prolific use among the rich and powerful make it a prime target for a few ‘zero days.’ These bugs can affect the entire platform, meaning that iPhones, IPads, and even MacBooks are vulnerable.
3. Windows OS
“Year Zero” seems to give the most love to Microsoft Windows because they have an awful lot of infection vectors planned out for it. For example, the document talks about malware that can infect through the CD/DVD drive or USB ports, and that malware might even hide itself in images or covert disk areas to defeat anti-virus software.
And then there’s HIVE, which is a malware suite that is capable of utilizing a separate cover domain for any number of customizable implants for the Windows platform. HIVE can turn your Windows system into a listening post, and it uses a unique VPN setup that allows it to communicate that data to a specially encrypted server. HIVE isn’t limited to Windows, however, which brings us to our next item.
HIVE can also be deployed on operating systems like Linux, Solaris, and MikroTik, and if you haven’t heard of the latter two, it’s because you haven’t been coding for any routers lately. We don’t often think of our internet routers, but they are the very glue that holds the IoT together, and if they can be hacked then that represents a huge vulnerability to our whole IoT network.
6. Samsung Smart TVs
Project “Weeping Angel” may sound like a fun Doctor Who reference, but it is quite a bit less charming and quite a bit more clandestine and just plain weird. This bug can hack a Samsung smart television, making it seem off when it is on and listening to the room via the microphone on the set.
I cringe when I have the opportunity to make some joke about how the world is becoming more like the movie Idiocracy, but with hacks like these, I’m more worried about seeing 1984 become a reality.
7. Automobile Systems
If the idea of an Orwellian dystopia wasn’t bleak enough for you, don’t worry.
According to Vault 7, the CIA was looking into compromising the control systems found in modern vehicles or trucks. We’re not even talking smart cars, either. Modern cars have computers that regulate certain systems (power steering, fuel injection, traction control, and automatic braking systems), and the nefarious purposes to which that could be abused are horrendous.
Let’s end this on a relatively light-hearted note. With the advent of the IoT, memes became a staple of internet culture, and while we may understand them as funny or insightful pictures with words overlayed on top, the CIA sees them as psychological tools to combat or change ideas. To stay ahead of the curve, they’re coming for our memes with a proposed Meme Warfare Center (MWC). The MWC would be a staff organization with a primary mission of generating the dankest memes based on detailed analysis of target populations.
With the revelation of the MWC, I may have a new reason to frequent 4chan, as there will most undoubtedly be a post or two about imaginary moles in their community.#WikiLeaks unleashed #Vault7 and here are the most vulnerable systems to cyber attackClick To Tweet
As with any WikiLeaks release, the Vault 7 leaks are shocking, eye-opening, and maybe more than we were ready to hear.
Yet, knowing about your vulnerabilities is critical to protecting yourself. Don’t fear, be aware, and keep your eyes peeled for the latest tech news to come from the Vault 7 leak. Is there anything important we missed?