It may just be my own Twitter echo chamber (ie, a case of who I follow more than anything else), but my Twitter feed this morning has been going nuts about the latest WikiLeaks leaks about CIA hacking data. I wanted to say something about it without doing stupidly long tweet-stories, so I thought I’d give Medium a go.
It’s all a much of nothing.
The three main points of focus in most articles. a) CIA attacked SmartTV’s for recording audio. b) Encrypted communications apps are all open because the CIA have methods to get OperatingSystem level access to SmartPhones. c) They’re “holding exploits open”.
a) CIA attacked SmartTV’s for recording audio. This is nothing new. IT people have been trying to warn the public about the potential of this for a few years now, and have been roundly ignored and tuned out by the general public. Patrick Gray (@riskybusiness) pointed out he attended talks on this type of activity back in 2013. I recall (possibly falsly) that some cheap SmartTV manufacturers have been busted for recording audio by default, sending this back to base, to be analysed and resold to analytics/marketing companies. This is nothing new. This is not news.
b) Encrypted communications apps are all open because the CIA have methods to get OperatingSystem level access to SmartPhones. This isn’t necessarily what that means. I’d like to see more details about the actual exploits the CIA have. Just because they can get to the OS doesn’t negate all encrypted apps that run on it or inside all encrypted communication going out from third party apps on it. This feels very much to me like a lot of tin foil hat alarmism at this stage. It could be true, but more details are needed before running for the hills. This _may_ not be what it’s hyped up to be. This _may_ not be news.
c) They’re “holding exploits open”. As far as I can tell, this is nothing more than the CIA having 0-day exploits that they actively use and aren’t reporting these to the manufacturers so patches can be developed. 0-day exploits are nothing more than exploits that have been found by third parties and not disclosed yet so the manufacturer doesn’t know to work on fixing this bug. This is no different to most of the exploits the NSA used, and any other security agency or hacker group out there. This is standard operating procedure. This is not news.
It’s all a much of nothing. The only news here is how much about the CIA’s operations are known and how, but that’s being glossed over.
The timing of it is also very bloody convenient for Trump’s latest round of attacks on the CIA and claims that Obama had them spying on his SmartPhone. It should be noted that Trump uses a Samsung Galaxy 3. A phone the security agencies don’t approve but haven’t been able to take off him. A phone that stopped being patched years ago and has many known vulnerabilities actively being exploited by scriptkiddies (and their dogs) worldwide. But now my tin foil hat needs adjusting …