WikiLeaks published a collection of more than 8,000 documents and files Tuesday that, if legitimate, show how the CIA can hack into phones, TVs, and other devices.
The group alleges some of the largest software and hardware companies are vulnerable – including the iPhone, Android devices, Microsoft Windows, and Samsung Smart TVs. The CIA's hackers, according to the documents, are able to access data from all of them – even if encryption services like WhatsApp or Signal are being used – with texts, audio messages, and more available.
The leak has been dubbed "Year Zero," with WikiLeaks claiming the documents come from the CIA in Langley, Virginia, and are from 2013-2016. The group obtained these after it says the CIA lost control of much of its hacking arsenal – millions of lines of code used to execute different cyber intrusions.
The arsenal has been shared (without authorization) by former government employees and contractors, with one giving a portion of the documents to WikiLeaks.
This is only a portion of what's revealed in the leak – expect more to come out in the coming hours and days as people comb through all the files. But here's a rundown of the big stuff right now, all according to WikiLeaks.
Are these legit?
This is the big question: Are these documents actually from the CIA?
The New York Times says their authenticity appeared "likely" after a review. And a source in the intelligence community told the Wall Street Journal some of the information "does pertain to tools that the CIA uses."
The CIA publicly has told outlets such as the Washington Post it doesn't comment on the authenticity of documents.
According to the documents, the CIA has a special unit that "produces malware to infest, control and exfiltrate data" from devices that use iOS – so iPhones and iPads, for example.
There's another unit targeting Google's Android operation system.
The CIA's methods allow hackers to get audio and texts from the phone – even if someone is using supposed safety apps like WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman. The CIA is able to hack into the smartphone itself, and skim all that information before any encryption is applied to it.
The CIA, in collaboration with British intelligence services, created a way to use Samsung Smart TV sets as a bug – able to listen in and record everything, even though it looks like it's not powered on, according to the documents.
Called "Weeping Angel," the malware turns the TVs to a 'fake-off' mode. So someone thinks it's off when it's actually on, recording what it hears and sending it via the internet to CIA servers.
Windows, OSx, Linux all targeted
The vulnerabilities go to computer operating systems too.
WikiLeaks says the CIA uses multiple strategies to try to infect Microsoft Windows computers, including "local and remote weaponized 'zero days', air gap jumping viruses ... infectors for removable media such as USBs," and more.
The agency also has automated malware attacks for Mac OS X, Solaris, Linux, and more.
'Zero day' vulnerabilities
"Zero days" are a common term in the hacking world – a zero day vulnerability is when there's a hole in software that opens it up to possible hacks, but the developer doesn't know it exists, WIRED explains. Since the person who made the software doesn't know about the vulnerability, anti-virus programs also don't know about it. And you can't fix a problem you don't know is there.
The term is a reference to how many days the software creator has known about the hole, WIRED says.
According to the WikieLeaks documents, the CIA collected zero days that could be used against the major manufacturers (Apple, Google, Microsoft, etc.) – and didn't tell those companies about it. So they would learn about security holes, track them, but not alert the people who could fix it.
Not divulging these zero days would seemingly go against a public Obama-era policy, which said it wouldn't be in national security interest to amass "a huge stockpile of undisclosed vulnerabilities while leaving the internet vulnerable and the American people unprotected."
Here's one example of a zero day vulnerability that wasn't disclosed, WikiLeaks says:
More docs are coming
As mentioned above, these documents have not been verified – though other reporting points to them being legitimate.
WikiLeaks meanwhile promises that this Year Zero release is just the first in a series.
You can search through all of the leaked documents here. (Note it includes very technical language.)