A Look at the Vault 7 Leaks

In an new release yesterday, Wikileaks - which has also notably published US cables in 2010 and Clinton campaign emails in 2016 among a large number of other releases - has published files allegedly belonging to the US Central Intelligence Agency (CIA). The released files cover a variety of topics but center around the CIA’s information security efforts.

In this briefing, we will try to provide you with a brief overview of the facts around the leaks at the time of writing.

 

Are the leaks authentic?

While there has been no confirmation that the leaks are authentic, there are no obvious signs to discredit them either. It is highly unlikely that the entire leak is fabricated. For one, it contains a lot of non-critical information such as a list of Japanese emoticons which indicate a resource actively maintained by a number of humans over a longer period of time. Secondly, faking some of the information regarding vulnerabilities and exploits would take a tremendous amount of effort, money and time.

At the same time, there is no way to tell wether individual pages in the release have been added, removed or edited to fit an agenda.

 

What will the technical impact be?

The leaks contain references to tools and exploits targeting smartphones and smart TVs. Taking over either device allows attackers to use them to spy on their owners. Most of the exploits do however require either physical access to the device (“attaching USB cables”) or at least having the device connect to a prepared Wifi network. There are at this point no indications that any of the smartphone or smart TV vendors cooperated with the CIA.

There are also some tools that either impersonate or bypass AntiVirus software. 

While the tools themselves are developed by the CIA, none of the vulnerabilities or techniques used appear to be unknown. Wether they were unknown when the tools were developed is unclear.

Some news sources have misinterpreted the fact that the CIA could install malware on a phone and thereupon monitor everything the phone does, including messaging on so-called secure messengers, to mean that the security of the messengers themselves has been broken. At this point in time, there is no evidence to support this conclusion.

 

What will the political impact be?

The largest political implications are likely to come from documents alleging that US CIA operatives were sent to the US consulate in Frankfurt with diplomatic passports to conduct covert operations. While this topic is likely to lead to some backlash within the German political spectrum, there is nothing inherently new about countries using embassies and consulates to deploy agents.

 

Summary

At this point in time, we assume that the leaks are largely authentic as a whole. The authenticity of each individual document however is unclear. The leak - if authentic - shows that the CIA has developed significant cyber security capabilities. Similar to the PRISM leaks, this was something widely expected but not so-far confirmed. The leaks also show that the CIA employs normal human beings and experiences projects gone bad (there are numerous references to breaking code) and office humor (e.g. the list of Japanese emoticons) like any other organization of its size.

At this point in time, nothing indicates that the CIA possesses unexpected levels of sophistication in the field of cyber security. The geopolitical implications of the leak remain to be seen but at the time of writing we see no indicators for a major fallout.