Vault 7 CIA hacking weapons include iOS, Android and Windows zero days

Mixed messages

Along with the released documents, WikiLeaks made bold claims that have caused a stir in the cybersecurity world and led to the spread of some misinformation.

WikiLeaks said this release is "part one" of a series called "Year Zero," but it is unclear what that means because WikiLeaks went on to contradict itself both in the description of the CIA hacking cache, in which it claimed "the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized zero-day exploits, malware remote control systems and associated documentation" as well as claiming the dump gave "its possessor the entire hacking capacity of the CIA." 

WikiLeaks also created confusion with a tweet:

WikiLeaks #Vault7 confirms CIA can effectively bypass Signal + Telegram + WhatsApp + Confide encryptionhttps://t.co/h5wzfrReyy

— WikiLeaks (@wikileaks) March 7, 2017

WikiLeaks later clarified this tweet and said that the CIA hacking tools in question were capable of exploiting handsets which in turn would enable access to any app on a phone, including encrypted messaging services like Signal, Telegram and WhatsApp.

Telegram's support team clarified further that the exploits found in the Vault 7 CIA hacking tools targeted the mobile operating system -- iOS or Android -- and was not "an issue of the app."

"It is now up to the device and OS manufacturers, like Apple, Google, or Samsung, to fix their volcanoes back into mountains," Telegram wrote in a blog post. "Luckily, in the case of 'Year Zero,' the mountain isn't exactly a volcano. It's rather just a big mountain that is full of secret tunnels and passages. The tools from 'Vault 7' are like a map of those tunnels. Now that device and OS manufacturers like Apple and Google will get this map, they can start filling in the holes and boarding up the passages. This will require many hours of work and many security updates, but eventually they should be able to take care of most of the problems."

Josh Zelonis, senior analyst at Forrester, said the encryption issue was likely misreported based on WikiLeaks' characterization of the documents.

"By compromising the device, an attacker would be able to access the messages on the device either directly or using the interfaces on the device such as screenshots and keylogging," Zelonis told SearchSecurity. "This is not an attack on Signal or Telegram encryption but is a bypass to access the data which is thought to be protected by this encryption."

WikiLeaks also claimed the tools found in the Vault 7 release might indicate false flag attacks performed by the CIA.

"The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation," WikiLeaks wrote. "With UMBRAGE and related projects the CIA cannot only increase its total number of attack types, but also misdirect attribution by leaving behind the 'fingerprints' of the groups that the attack techniques were stolen from."

There is no evidence these false flag attacks were planned or took place, and there appears to be no references in the CIA documents that indicate the agency planned to use these stolen attack techniques in such a manner.

Brian Vecci, technical evangelist at Varonis, told SearchSecurity that "the potential scale of the issue it raises" is more alarming because it shows extreme forms of surveillance aren't science fiction, they are "already happening."

"This isn't a single system or application that's been breached -- this is a large number of very critical exploits for a huge percentage of all the mobile phones in the world," Vecci said. "While oftentimes these kinds of breaches affect a single organization or group, this leak shows that there are a large number of previously-unknown exploits that could lead to unauthorized access of mobile devices, including using those phones as remote recording devices."