The publication by WikiLeaks of documents it says are from the CIA’s secret hacking program describe tools that can turn a world of increasingly networked, camera- and microphone-equipped devices into eavesdroppers.
Smart televisions and automobiles noaw have on-board computers and microphones, joining the ubiquitous smartphones, laptops and tablets that have had microphones and cameras as standard equipment for a decade. That the CIA has created tools to turn them into listening posts surprises no one in the security community.
In a statement to CBS News, the CIA said it had no comment on the authenticity of the documents or the status of any investigation into their source.
“CIA’s mission is to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries. It is CIA’s job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad,” the agency said. “It is also important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so.”
The agency also warned that the disclosure of hacking tools could allow America’s adversaries to take advantage of them, too.
The release of the documents by WikiLeaks has prompted many questions about potential vulnerabilities.
Q: How worried should consumers be?A: The intrusion tools highlighted by the leak do not appear to be instruments of mass surveillance. So, it’s not as if everyone’s TV or high-tech vehicle is at risk.
“It’s unsurprising, and also somewhat reassuring, that these are tools that appear to be targeted at specific people’s (devices) by compromising the software on them — as opposed to tools that decrypt the encrypted traffic over the internet,” said Matt Blaze, a University of Pennsylvania computer scientist.
The exploits appear to emphasize targeted attacks, such as collecting keystrokes or silently activating a Samsung TV’s microphone while the set is turned off. In fact, many of the intrusion tools described in the documents are for delivery via “removable device.”
Q: What can be done to prevent a compromised internet-connected device from communicating with spies?A: Not much if you don’t want to sacrifice the benefits of the device.
“Anything that is voice-activated or that has voice- and internet-connected functionality is susceptible to these types of attacks,” said Robert M. Lee, a former U.S. cyberwar operations officer and CEO of the cybersecurity company Dragos.
That includes smart TVs and voice-controlled information devices like the Amazon Echo, which can read news, play music, close the garage door and turn up the thermostat. An Amazon Echo was enlisted as a potential witness in an Arkansas murder case.
To ensure a connected device can’t spy on you, unplug it from the grid and the internet and remove the batteries, if that’s possible. Or perhaps don’t buy it, especially if you don’t especially require the networked features and the manufacturer hasn’t proven careful on security.
Security experts have found flaws in devices — like WiFi-enabled dolls — with embedded microphones and cameras.
Q: I use WhatsApp and Signal for voice and text communication because of their strong encryption. Can the exploits described in the WikiLeaks documents break them? A: No. But exploits designed to infiltrate the operating system on your Android smartphone, iPhone, iPad or Windows-based computer can read your messages or listen in on conversations on the compromised device itself, though communications are encrypted in transit.
“The bad news is that platform exploits are very powerful,” Blaze tweeted. “The good news is that they have to target you in order to read your messages.”
Apple and Google, the company behind Android, have issued statements saying many of the alleged vulnerabilities have already been patched.
Blaze and other experts say reliably defending against a state-level adversary is all but impossible. And the CIA was planting microphones long before we became networked.
Q: I’m not a high-value target. But I still want to protect myself. How?A: It may sound boring, but it’s vital: Keep all your operating systems patched and up-to-date, and don’t click links or open email attachments unless you are sure they are safe.
There will always be exploits of which antivirus companies are not aware until it’s too late. These are known as zero-day exploits because no patches are available and victims have zero time to prepare. The CIA, National Security Agency and plenty of other intelligence agencies purchase and develop them.
But they don’t come cheap. And most of us are hardly worth it.
Leave a Reply.
Thecomputerheale.com makes no claims about the efficacy of the information contained in the documents and related graphics published on this website for any purpose. All information, documents and graphics are provided "as is" without any kind of guarantee of effectiveness. Thecomputerhealer.com hereby disclaims all responsibility for the manner in which the information offered on this website is used by you.
In no event shall Thecomputerhealeronline.com be liable for any special, indirect or consequential damages or any damages whatsoever resulting from the loss of use, data or profits arising out of or in connection with the use or performance of information available from this website.
The documents and related graphics published on this website may include technical inaccuracies or typographical errors. Changes are periodically added to the information on this website. Thecomputerhealer.com reserves the right, at its discretion, to change or modify all or any part of this agreement and the content on website at any time, effective immediately upon publication of this notice.
Your continued use of this website constitutes your binding acceptance of these terms and conditions, including any changes or modifications made by Thecomputerhealer.com as permitted above. If, at any time, the terms and conditions of this agreement are no longer acceptable to you, you should immediately cease using this website.