Not likely, but all too possible. According to the shocking data dump on Tuesday by the radical anti-secrecy organization WikiLeaks, the agency could infiltrate billions of devices worldwide. And here’s a bigger worry: If the CIA can compromise our gadgets, any reasonably bright foreign spy, cyber-crook, or terrorist will eventually be able to do the same. The WikiLeaks report suggests the CIA is doing nothing to prevent this — on purpose.
The CIA has declined to comment. But according to the WikiLeaks dump, the agency has collected dozens of “zero-day exploits.” These are security flaws in software operating programs such as Apple iOS, Android, and Microsoft Windows that let an intruder illicity seize control of a digital device. “Zero-day” is tech-speak for a flaw that no one else knows about. Spies love zero-days because they can infiltrate a system for days, weeks, or months before being detected.
WikiLeaks claims the CIA, in cooperation with the United Kingdom’s spy agency MI5, developed an attack that secretly activates the microphone on Samsung Corp.’s smart TV sets, allowing agents to remotely record conversations in hotel suites or conference rooms.
Other zero-day bugs allow spies to intercept text messages and voice calls sent on Apple or Android phones. It doesn’t matter if the user has an app like Signal or Telegram that encrypts traffic; the bug captures the data before it becomes encrypted.
These exploits represent extraordinary work by brilliant engineers, and frankly, it makes me proud to be an American. But it also poses a nasty problem. The same bugs that make these exploits possible could eventually be uncovered by America’s enemies, or even by common criminals.
Shouldn’t the intelligence community protect us by reporting the problems to the software makers?
“It’s a real conundrum,” said Stuart Madnick, cybersecurity expert and professor at the MIT Sloan School of Management. “Currently, the mission of the CIA and the NSA is to be spies,” not to help secure domestic data networks, Madnick said. “Revealing the zero-days would not be an obvious part of their mission.”
Except that in 2010 the Obama administration made it a policy that when intelligence agencies discover such bugs, they should help software makers find and fix them. The agencies can apply for an exception in special cases, but those must be approved by a review board made up of senior executives of several agencies, including the departments of Homeland Security and Commerce.
The Obama administration publicly acknowledged the tricky balance between disclosing vulnerabilities and exploiting them for intelligence advantage.
“Too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation,” Michael Daniel, Obama’s cybersecurity coordinator, wrote in a post on the White House home page in 2014.
Yet the WikiLeaks report claims the CIA has 24 zero-day exploits for Android devices alone, as well as an unspecified number for Apple iOS devices.
In addition, the CIA allegedly has developed ways to compromise computers running the major operating systems, Apple’s Mac OS X, Microsoft Windows, and Linux.
And the agency told nobody.
Kade Crockford, director of the Technology For Liberty project at the American Civil Liberties Union of Massachusetts, said the spy agency’s decision not to warn about these bugs poses a major security problem for users of digital devices worldwide.
“The fact that these documents leaked is evidence that it’s very, very hard to keep a lid on this stuff,” Crockford said. “As soon as this information is leaked or stolen, millions and millions of people are at risk.”
WikiLeaks says it’s in possession of the actual software code — several hundred million lines of it. But the same organization that cheerfully subverted Hillary Clinton’s presidential campaign through a series of leaked e-mails has decided it’s too dangerous to publish the attack software — for now, at least.
“Once a single cyber ‘weapon’ is ‘loose’ it can spread around the world in seconds, to be used by rival states, cyber mafia, and teenage hackers alike,” WikiLeaks warned.
For privacy absolutists there’s an easy answer: Make it mandatory for spy agencies to report all zero-day bugs, so they can be fixed. That might cripple America’s ability to spy on rival nations, or on terrorists. People in the intelligence community call this “going dark.”
But Bruce Schneier, a security software developer and a fellow at Harvard University’s Kennedy School of Government, said living with billions of easily hackable devices is far worse. “A dark world where nuclear power plants can’t be hacked is safer than a bright world in which they can,” Schneier said.
Maybe there’s a middle path. Perhaps our spies could be given, say, one year to exploit each new bug. Then they’d be required to report it — no exceptions, no appeal. That would cut the risk to public safety and give the spies time to find new ways to raid our systems.
It’s an imperfect solution, perhaps no solution at all. But there’s no going back to the old ways. WikiLeaks has seen to that.Hiawatha Bray can be reached at firstname.lastname@example.org. Follow him on Twitter @GlobeTechLab.