WikiLeaks publishes massive 'Vault 7' CIA cracking trove

March 8, 2017 // 10:26 a.m.

Tags: #0day #0-day #backdoor #central-intelligence #cia #cyber #cyber-warfare #espionage #insecurity #privacy #security #spy #vault-7 #vulnerability #wikileaks #year-zero #zero-day

WikiLeaks has released what it claims to be the largest ever publication of confidential documents from the US Central Intelligence Agency (CIA) covering a large proportion of its electronic espionage and warfare arsenal.

Dubbed Vault 7 by the organisation, the document trove is being released in dribs and drabs, beginning with a nearly 9,000-strong release WikiLeaks has codenamed 'Year Zero,' but has already - if true - revealed much about the CIA's Centre for Cyber Intelligence. Documents released so far by WikiLeaks include details of zero-day vulnerabilities exploited by the CIA for Windows, macOS, Linux, iOS, Android, and other operating systems, which the CIA had refused to share with manufacturers in order to continue exploiting them - leaving users at risk of attack both from the CIA itself and from anyone who got their hands on the exploits, either through independent discovery or via leaks from the CIA's trove of attack code.

'There is an extreme proliferation risk in the development of cyber 'weapons'. Comparisons can be drawn between the uncontrolled proliferation of such 'weapons', which results from the inability to contain them combined with their high market value, and the global arms trade,' claimed controversial WikiLeaks editor Julian Assange of the documents contained in the release. 'But the significance of "Year Zero" goes well beyond the choice between cyberwar and cyberpeace. The disclosure is also exceptional from a political, legal and forensic perspective.'

The documents released thus far make for sobering reading for privacy enthusiasts and strong validation for paranoiacs: tools built by the CIA's Engineering Development Group include backdoors and exploits for all major mobile and desktop operating systems, a tool dubbed 'Weeping Angel' which allows the CIA to listen in on conversations made within range of the microphone on Samsung smart TVs even when they are supposedly switched off, the ability to take remote ownership of vehicle control systems as a potential means of assassination, and the hoarding of zero-day vulnerabilities against the Vulnerabilities Equities Process which has required government agencies to alert manufacturers and vendors to any and all discovered security vulnerabilities in their products since 2010 in order that they may be patched.

The legitimacy of the documents has, naturally, not been confirmed by the CIA itself. Apple, however, has lent credence to the leak by issuing a statement confirming the legitimacy of many of the claimed vulnerabilities documented therein but claiming they have since been patched in order to protect users, while claiming to be actively investigating the remaining vulnerabilities in order to close those holes as well.

Interested parties can read the redacted documents on the official leak page, though those who do not make regular use of anonymising technologies such as VPNs or the Tor network are advised that clicking on the link unprotected will bring your interest to the attention of your national security authorities.
Discuss this in the forums

QUICK COMMENT

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU