.svg){kind=logo}
Grab a tin foil hat, your TV is watching you.
The opinions expressed in this article reflect those of the author, Tom Dodd, and not entrustIT
In the past, if you claimed that the Government was listening into your conversations through your TV, you might be placed in a straitjacket and carted off to the nearest mental health facility. Unfortunately, thanks to a huge data release by WikiLeaks this week, your claims would be entirely justified.
As a consumer, you may have heard of the “internet of things”. Perhaps you scoffed at the thought that your fridge needs an internet connection. The principle is that the internet of things allows us the ability to control aspects of our appliances from our smartphones. Modern appliances are becoming internet enabled and we are each being pushed to embrace a ‘smart home’, whereby our computers, televisions, lights, heating and even door locks can be controlled via apps on our smartphones. The theory sounds great, but the reality may be far darker.
WikiLeaks creates more headaches for the Government
On 7th March, WikiLeaks issued a press release codenamed “Vault 7”. In it are details of the CIA’s cyber-weapons programme, called ‘zero day’. These include malware, viruses and Trojans. The several hundred million lines of code included in zero day give the possessor the entire hacking capacity of the CIA. The leak even reveals a tool to listen in on conversations using smartphone or smart TV microphones. What’s more, the CIA (and GCHQ) appear to have been extremely irresponsible with the handling of these tools.
After the Edward Snowden leaks, the Obama administration promised that security vulnerabilities discovered by intelligence services would be released to the US based tech manufacturers on an ongoing basis. The Vault 7 leak shows that the CIA has instead been hoarding discovered vulnerabilities – presumably since they wanted them to remain open. The trouble is, if US intelligence agencies are aware of these flaws, is it not reasonable to assume that other agencies are too? Or that they will be in the future?
By discovering these flaws (in popular operating systems such as Windows, iOS, MacOS and Android) and opting not to inform the developers, they remain open to exploitation – including by those who seek to do harm. Specific CIA malware revealed in the leak is even able to penetrate both iPhone and Android software running presidential Twitter accounts. Given President Trump’s love affair with Twitter, and that one tweet from his account has the power to send stock prices plummeting, or worse still, potentially start a war, how valuable is that malware to a dangerous hacker?
Edward Snowden has had his say on the leaks
A difficult balancing act
Balancing public safety with public freedom is a difficult process. You may feel entirely relaxed about the intelligence agencies’ ability to hack into your TV if it means that you don’t become a victim of terrorism. However, in an effort to protect the public from violent terrorism, the CIA has left the public open to cyber terrorism. Some would argue that cyber weapons have the potential to deal more damage than conventional weapons. Once malicious code is out there, it is relatively easy to copy and extremely difficult to control. The very fact that this latest leak has been released indicates that the CIA and NSA cannot keep control of their sensitive data.
To be concerned about dangerous hacking tools falling into the wrong hands, or the possibility that you could be spied on in your own home is no longer a paranoid delusion. The threat is very real. The agencies that exist to protect us have left us vulnerable as a result of their recklessness.
The Bottom Line
Vault 7 is a goldmine of information – and it is damning for the agencies involved. Not only have intelligence agencies been working hard to discover vulnerabilities to spy on citizens, they have kept them to themselves – leaving them open to be exploited by hackers and terrorists. Whilst it is entirely justified to monitor terrorists, who determines who is a terrorist? How broad is that definition? We must be careful that we do not let intelligence agencies abuse the threat of terror to justify robbing us of our freedom.
In the short term, we can expect to see major tech companies patching the vulnerabilities exposed in Vault 7. Yet, we now have an idea of the lengths major intelligence agencies will go to in order to harvest information. More vulnerabilities will be found, and likely hoarded, until they are again exposed. The public should not sit by and accept that this a reality of modern life. These agencies must be held accountable for their failings.
The press release of Vault 7 can be found here. If you have an interest in cyber security – it is worth reading.