« All I can say is that there are many ways to spy. You can put someone under surveillance with your phone, your television, there are plenty of ways to do it. […] and microwaves that turn into cameras. That, as we know, is a fact of modern life. »
This is the response of Kellyanne Conway, Donald Trump’s advisor, concerning the last revelations of Wikileaks on the CIA methods.
To which Wired replied, not without cynicism, that « since the microwave did not have a camera, it could not film; and since the microwave did not have a microphone, it could not record. Finally, it is not a connected device … »
This case comes as Wikileaks has disclosed 9,000 compromising documents, a set called « Vault 7 », from the CIA, reporting techniques to hack smartphones and connected objects. These reveal, in fact, the CIA’s ability to exploit common objects such as smartphones, tablets, personal computers and connected televisions.
It is caused by security breaches that would allow the agency to track, spy on and even remotely control these devices. Apple, Google and Samsung would be concerned.
Peter Alfred-Adekeye, Chairman and CEO of Multiven, agreed to answer a few questions about this news.
1) What are exactly do these 9000 revealed documents? What exactly do they divulge?
The initial publication reveal amongst other things, that the CIA have access to previously unknown, and thus uncorrected software flaws popularly referred to as zero-days, that enable them to hack into, and remotely control devices like iPhones, Android-powered devices, Samsung TVs, Skype calls, antivirus programs and Wi-Fi routers from Linksys, Zyxel & Microtik. They also include details of exploits that target Cisco ASR 1000, Cisco ISR 881, Cisco Supervisor 720 for Catalyst 6500 and 7600s, Cisco 3560G, Cisco 2900 and Cisco 2911.
2) Which would be the source of these documents?
Wikileaks did not identify the source of these documents and the FBI have apparently began an investigation into likely sources.The depth of the published documents would suggest that it was an inside job.
3) How to interpret CIA’s response to the release ?
The CIA has actually confirmed the authenticity of these documents and as expected, are unapologetic about it because from their perspective, they are just doing their job. Bottomline is that electronic espionage will never cease. Thus, if you are a business with a valuable product or service or a Government agency handling critical information, it is safe to assume that you will be someone’s target sooner or later. Hence everybody should start taking steps to fortify their cyberdefenses from today.
4) Can we really consider the CIA’s systems to be obsolete?
The White House spokesman Sean Spicer told a news briefing last Thursday that « He believes that the systems at the CIA are outdated and need to be updated. » If you think about it, electronic espionage i.e. Cyber, is more within the realms of the NSA while the CIA is more human espionage. Accordingly, it is safe to assume that the « cyber infrastructure » at the NSA might be more robust that the CIA’s.
5) The French State has entrusted the analysis of its data to Palantir (CIA)? Should France be worried?
Even though it received early funding from the venture arm of the CIA and Peter Thiel’s Founders Fund, Palantir is a privately-held company that specialises in big data anaylsis for government and enterprise clients. Nothing in the leaked documents from Wikileaks undermines the integrity of Palantir nor the CIA’s own IT infrastructure. Hence, France need not worry about the impact of these leaks to its data held by Palantir. Besides, France is a close ally of the US 😉
6) Wikileaks wants to help Silicon Valley to counter CIA piracy techniques. What does it say about our time?
We are living in very interesting times indeed. However, the CIA, like all other espionage agencies around the world, are in the business of espionage and the most effective way of doing that today is electronically. Wikileaks’ gesture to Silicon Valley is good for reinstating the integrity of the affected products in the leaked documents, unfortunately this will not put an end to the exploitation of the zillions of vulnerabilities in software for military and economic gains. That is why the need for a politically-neutral provider of software integrity maintenance services for all businesses cannot be over-emphasised.