In a ground-shattering data dump, WikiLeaks has released part 1 of what may be its most ambitious project yet. Vault 7, as it is called, has opened by blowing the whistle on civil liberty abuses and covert hacking allegedly committed by the U.S. Central Intelligence Agency. The data is quite a lot to process, but issues relating to InfoSec have immediately caught the eyes of experts in the cybersecurity field. Perhaps the most intriguing, and harrowing, of these issues is the proof that the CIA hoarded zero-days from developers.
Documents in Vault 7 point to collecting and hoarding of zero-day vulnerabilities in numerous mediums, especially mobile devices. For instance, a document titled “Android Exploit/Tool Coverage,” which is shown in partial form below, gives a laundry list of unpatched zero-days that allow access to various Android devices. The CIA hoarded these zero-days, but as you will see, other government agencies like the FBI were involved in their discovery.
It isn’t just Android that is affected, however, as iOS has also been implicated in the CIA’s zero-day treasure chest (see below).
The screencap above was edited by none other than NSA whistleblower Edward Snowden, who highlighted the fact that foreign agencies like the U.K.’s GCHQ have already gotten a hold of these exploits. Snowden himself further stated on Twitter that this is “first public evidence USG secretly paying to keep US software unsafe.” He also noted that the document(s) validity is not suspect as “Program & office names, such as the JQJ (IOC) crypt series, are real. Only a cleared insider could know them.”
What this infers is that most likely government insiders in the intelligence community blew the whistle and gave these documents to WikiLeaks. This is significant in many ways, but as it pertains to InfoSec it shows that even those sworn to secrecy see the danger in unpatched zero-days being collected and never fixed. The CIA and its allies are not the only possible entities that can access such exploits, and if in the wrong hands, a great deal of damage can be done on multiple levels of societal infrastructure.
As WikiLeaks points out, the CIA’s zero-day hoarding runs in direct opposition to explicit orders given by President Obama. In their opening page, WikiLeaks states that the “U.S. government’s commitment to the Vulnerabilities Equities Process (VEP) came after significant lobbying by US technology companies… the government stated that it would disclose all pervasive vulnerabilities discovered after 2010 on an ongoing basis.”
They go on to say that, since these zero-days existed long after the VEP signing, “the CIA breached the Obama administration’s commitments. Many of the vulnerabilities used in the CIA’s cyber arsenal are pervasive and some may already have been found by rival intelligence agencies or cyber criminals.”
That last line is really one of the most important takeaways here. No entity, public or private, should endanger the security of the general populous by allowing known zero-days to remain unpatched. The NSA originally hoarded a great deal of zero-days until they were put in hot water by Snowden’s whistleblowing. He did so, at risk of treason convictions, knowing that the greater good was being performed by shining the spotlight on the Deep State and its dealings.
The same public pressure that hit the NSA should hit the CIA. Of course, there are many already in the corporate media attempting to discredit these findings. Just recently, ex-CIA Director General Michael Hayden was on “The Late Show with Stephen Colbert” attempting to obfuscate those seeking answers after these leaks. Naturally, he played it off by assuring the public that they were not being spied on, and many in the media have predictably lapped up this answer.
— The Late Show (@colbertlateshow) March 8, 2017
For its part, the CIA neither confirmed nor denied the authenticity of the documents, but said in a statement that the agency “is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so.”
The truth is hard to accept. It means accepting that those sworn to protect us may very well be our greatest threat. That our lives and civil liberties do not matter to those we elect and support through our taxes. It means accepting that there is no good or evil, rather shades of ambiguity that we must analyze on a daily basis.
Vault 7 part 1 is the start of something big. As I continue to sift through this massive data dump, I will continue to report anything that threatens security, namely cybersecurity, of civilians and vital infrastructure.
I’ve made the choice as a journalist not to accept being lied to and to seek truth. Can you say the same?