WikiLeaks leak claims CIA can get past phone encryption, hack into Smart TVs

This leak of more than 8,000 files has not been authenticated – though it appears legitimate.
Author:
Updated:
Original:

WikiLeaks published a collection of more than 8,000 documents and files Tuesday that, if legitimate, show how the CIA can hack into phones, TVs, and other devices.

The group alleges some of the largest software and hardware companies are vulnerable – including the iPhone, Android devices, Microsoft Windows, and Samsung Smart TVs. The CIA's hackers, according to the documents, are able to access data from all of them – even if encryption services like WhatsApp or Signal are being used – with texts, audio messages, and more available.

The leak has been dubbed "Year Zero," with WikiLeaks claiming the documents come from the CIA in Langley, Virginia, and are from 2013-2016. The group obtained these after it says the CIA lost control of much of its hacking arsenal – millions of lines of code used to execute different cyber intrusions.

The arsenal has been shared (without authorization) by former government employees and contractors, with one giving a portion of the documents to WikiLeaks.

This is only a portion of what's revealed in the leak – expect more to come out in the coming hours and days as people comb through all the files. But here's a rundown of the big stuff right now, all according to WikiLeaks.

Are these legit?

This is the big question: Are these documents actually from the CIA?

The New York Times says their authenticity appeared "likely" after a review. And a source in the intelligence community told the Wall Street Journal some of the information "does pertain to tools that the CIA uses."

The CIA publicly has told outlets such as the Washington Post it doesn't comment on the authenticity of documents.

Phone hacking

According to the documents, the CIA has a special unit that "produces malware to infest, control and exfiltrate data" from devices that use iOS – so iPhones and iPads, for example.

There's another unit targeting Google's Android operation system.

The CIA's methods allow hackers to get audio and texts from the phone – even if someone is using supposed safety apps like WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman. The CIA is able to hack into the smartphone itself, and skim all that information before any encryption is applied to it.

Smart TVs

The CIA, in collaboration with British intelligence services, created a way to use Samsung Smart TV sets as a bug – able to listen in and record everything, even though it looks like it's not powered on, according to the documents.

Called "Weeping Angel," the malware turns the TVs to a 'fake-off' mode. So someone thinks it's off when it's actually on, recording what it hears and sending it via the internet to CIA servers.

Windows, OSx, Linux all targeted

The vulnerabilities go to computer operating systems too.

WikiLeaks says the CIA uses multiple strategies to try to infect Microsoft Windows computers, including "local and remote weaponized 'zero days', air gap jumping viruses ... infectors for removable media such as USBs," and more.

The agency also has automated malware attacks for Mac OS X, Solaris, Linux, and more.

'Zero day' vulnerabilities

"Zero days" are a common term in the hacking world – a zero day vulnerability is when there's a hole in software that opens it up to possible hacks, but the developer doesn't know it exists, WIRED explains. Since the person who made the software doesn't know about the vulnerability, anti-virus programs also don't know about it. And you can't fix a problem you don't know is there.

The term is a reference to how many days the software creator has known about the hole, WIRED says.

According to the WikieLeaks documents, the CIA collected zero days that could be used against the major manufacturers (Apple, Google, Microsoft, etc.) – and didn't tell those companies about it. So they would learn about security holes, track them, but not alert the people who could fix it.

Not divulging these zero days would seemingly go against a public Obama-era policy, which said it wouldn't be in national security interest to amass "a huge stockpile of undisclosed vulnerabilities while leaving the internet vulnerable and the American people unprotected."

Here's one example of a zero day vulnerability that wasn't disclosed, WikiLeaks says:

More docs are coming

As mentioned above, these documents have not been verified – though other reporting points to them being legitimate.

WikiLeaks meanwhile promises that this Year Zero release is just the first in a series.

You can search through all of the leaked documents here. (Note it includes very technical language.)

Next Up

Cam Talbot

Wild improve to 4-1 with victory over Dubnyk, Sharks

The 4-1 win gives the Wild four victories in five games to start the season.

Screen Shot 2021-01-22 at 9.08.16 PM

Daughter of MN Supreme Court Justice, Allina Health CEO found dead in Iowa

The 21-year-old was found dead in the parking lot of a sorority, according to police.

Screen Shot 2020-09-04 at 8.42.40 PM

Federal charges: MN marijuana lobbyist threatened U.S. representative

"I want you to be as scared as possible," the voicemail allegedly says.

coronavirus, masks, covid-19

Wisconsin Republicans aim to end governor's mask mandate

They've introduced a resolution to remove the governor's emergency powers.

Ted Schweich

Community group hopes to install billboard to get neighbor a kidney

A group called "Team Ted" aims to raise $5,000 to find their friend a kidney donor.

Andrew Palmer

Charges: Coach raped teenage girl on Minnesota basketball team

The 33-year-old head coach has been charged in connection to the alleged crimes.

radio station, microphone

WCCO Radio's program director leaves the company

It's not clear why John Hanson and the station parted ways.

Minneapolis skyline

Minneapolis a step closer to banning facial recognition technology

There are concerns about it leading to a surveillance state, and that it could harm disadvantaged communities.

covid-19, coronavirus, PPE

Here is Minnesota's COVID-19 update for Friday, January 22

Nearly 50,000 Minnesotans have received both doses of the COVID-19 vaccine.

Related

How big a deal is this hack of Minnesota government and MSU Moorhead servers?

Email addresses, encrypted passwords, user IDS – what someone could do with the information.

How safe from a ransomware attack are Minnesota's government computers?

WannaCry ransomware has been detected across more than 200,000 computers in 100-plus countries. So how protected is Minnesota?

2 major security flaws are affecting millions of phones, computers – here's what you should do

And you probably have a device that's at risk. Here's what you should do about it.

Update: Explore Minnesota's Facebook hack nightmare is over

But why was the tourism agency targeted? And how did someone take control?

'Accidental hero' slowed the global ransomware attack – but it might not be over

The malware locks up your computer and threatens to wipe your files, unless you pay $300 in bitcoin.

Chipotle's payment systems were hacked – see if the one you go to was hit

Malware got into the register and card payment systems and scraped up info.