Vault 7

While this blog isn’t focused on current events or recent news stories, one particular story has come to light that I feel compelled to write about.  Last Tuesday, March 7, WikiLeaks revealed the first of a batch of leaks code named “Vault 7.”  Now I’m not going to debate the ethics of leaking classified documents or what political motives may exist behind the timing and content of the leaks.  Instead, I am going to focus solely on the content of the leaks, and oh boy, is there a lot of content.

What is in Vault 7?

Vault 7 part 1, dubbed “Year Zero” contains documents related to the Central Intelligence Agency’s global hacking abilities.  The documents describe many “zero-day” (notice the naming similarities) exploits against every major computer and cell phone operating system on the market right now.  This means the CIA has tools that are capable of actively targeting and compromising every single smart device you own through various means.

What is a Zero-Day Exploit?

The term “zero-day” is used to describe an exploit in a system that has not been noticed or patched before.  This means there are no known countermeasures to this particular attack yet and an attack of this nature could be undetectable.  Zero-day exploits are considered to be the most dangerous exploit as it makes a large number of up-to-date systems vulnerable to attacks.  This is why companies like Microsoft, Google, Apple, and other large tech companies have “bug-bounty” programs where they will pay you for finding security flaws in their systems.  That’s also why companies like Zerodium exist who will buy exploits for up to millions of dollars because of how valuable they are to hackers and governments.

What can the CIA hack?

Everything.  The CIA has separate teams looking for exploits for Android, iOS, Windows, ChromeOS, OSx, Linux, you name it.  They have lists of numerous active, unpatched zero-day exploits in every single operating system.  In fact, the exploits are so extensive that the CIA has tools which can turn your Samsung Smart TV into a microphone which listens to everything you say and transmits it back to the CIA.  Now Google and Apple have released statements saying “Many of the exploits found have been patched” but all that really means is there are still exploits that the CIA has that are unpatched for now and may never be patched on older OS versions.

What is the problem?

The most concerning part of what the CIA has done here is they did not disclose any of the vulnerabilities they found in any system.  That means they did not inform Google, Apple, or Microsoft that their products could be targeted.  By “hoarding” zero-days, the CIA has made all our devices less secure by purposely allowing vulnerabilities to exist for the purpose of spying on a (hopefully) small amount of people.  And now, thanks to this leak, at least one other entity has access to the entirety of the CIA’s hacking arsenal.  If the leaker had sold this to another foreign state or shading organization, we could all be in much more trouble.

Also, while the documents WikiLeaks published do describe the attacks in question, WikiLeaks has redacted or removed most of the specifics and all of the source code for the tools in question.  This is ostensibly so these tools cannot be used against anyone else at the present moment.

What can I do to protect myself?

Power off all your electronic devices, place them in a Faraday Cage, and never look at them again.  Seriously.  If you’ve pissed someone off to the extent that the resources of the CIA are after you, there is almost nothing you can do to protect yourself.

However, this leak does prove that encryption works.  The fact that the CIA has to resort to Operating System level hacks instead of just intercepting messages means that encrypting your messages is a good precaution, no matter how badly the CIA wants what you know.

4 thoughts on “Vault 7”

  1. What a terrifying way to start off my Friday morning. I’ll have to build a Faraday Cage. My question is, since all of this computer/hacking/technical stuff isn’t something I’m too familiar with, what’s the legality of all of this? Whether it be laws protecting each individual, or has the CIA done anything “wrong” here? Is this allowed for purposes deemed under the “national security” argument?

    1. It’s really scary to think about the implications of moving into an age filled with technology. We are almost giving up our control to big firms and governments. Sounds like stuff out of The Circle. Hopefully, this isn’t a problem for most people as they shouldn’t have too much that they are trying to hide in the first place.

  2. I feel like as the presence of technology in our lives continues to increase, there will only be more opportunities for the CIA and other organizations to spy on whoever they want. In this day and age, interaction with technology is almost inevitable, which means that nothing you really do can be guaranteed to be “private” anymore, which is a slightly terrifying thought. We all like to think that the CIA obtains warrants from the appropriate courts but in reality there are segments of the CIA that operate pretty much independent from the law – I don’t think it’s any stretch of the imagination to say that they have and will continue to wiretap and spy on people without going through the appropriate channels.

  3. I’m really not surprised that the CIA is able to hack everything. Although, I am probably not with the majority of the population when I say this, I’m not too concerned about it at the moment. I like to believe that I can trust them to not abuse this power, and even if they did, all they would find on my devices are memes and a bunch of schoolwork. I did come from a very strict family, however; my dad would monitor everything I did and control my internet usage literally until the day I moved to college, although this was just to make sure I wasn’t always playing video games. I’m just used to this kind of stuff, and so I guess that’s why I really don’t mind as much as other people.

Leave a Reply

Your email address will not be published. Required fields are marked *