The CIA breach is being described as the biggest "since Snowden", and yet most in the security industry have expressed that the view that "spooks will be spooks".
The cyber-security industry has responded to the latest leak of intelligence community data by WikiLeaks with a big wet ‘meh'.
WikiLeaks published yesterday what it describes as a leak of confidential documents from the CIA detailing the tools and vulnerabilities it allegedly uses to break into phones, communication apps and other electronic devices.
The trove of documents, part of the so-called Vault 7 which WikiLeaks has been trailing for several weeks, contains 8761 files which allegedly show the scope and direction of the CIA's global covert hacking programme.
It contains descriptions of its malware arsenal including dozens of "zero day" weaponised exploits against a wide range of consumer products including Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.
WikiLeaks says the collection amounts to more than several hundred million lines of code, and “gives its possessor the entire hacking capacity of the CIA”. WikiLeaks has called for the software to be “analysed, disarmed and published”, but has not published any of the actual code.
Already, some commentators have said the files include far more pages than the Snowden files that exposed the vast hacking power of the NSA and other agencies.
Overnight, security experts around the world have poured over the documents and the TL;DR is that they simply “don't matter”.
Those are the words of Slawek Ligier, VP security engineering at Barracuda, who says the vulnerabilities are not news, and “[the vulnerabilities have] been possible for a while now. The disturbing part is that spy agencies seem more interested in stockpiling vulnerabilities for a future exploit rather than working with vendors to close the gaps.”
Ilia Kolochenko, CEO at High-Tech Bridge, said that it didn't appear that the CIA was doing anything unlawful – far from it, it's the agency's job to develop the means to eavesdrop on targets of interest. “If the intelligence agencies were using advanced resources to spy on innocent citizens or intervene in government, it would raise many questions, but the fact that they have developed many tools including cyber-weapons is perfectly normal."
He questioned whether there was even anything new in the release and speculated that it could even be a ploy to distract the attention of the public and foreign intelligence agencies. “People are talking about the [Weeping Angel] Samsung TV hacking tool, and that was something that was public several years ago,” he said. “That's not something that's going to make you say ‘wow'. It looks like a honeypot strategy – it's deflecting attention from other things.”
Many of the vulnerabilities disclosed in the CIA files appear to have been developed after CIA agents attended public hacking conferences. One document discusses how to weaponise a USB stick using BadUSB, the subject of a talk at BlackHat USA in 2014 by Security Research Labs.
Other vulnerabilities disclosed in the document include exploits that allow an attacker to take over control of the microphone and camera, key stroke loggers for Windows and antivirus avoidance software, all tools readily available for free or for a price on the dark web.