15 March 2017

Next WikiLeaks worry: the release of the code


Elizabeth Weise and Jon Sw

SAN FRANCISCO — The computer security world is bracing for the next bombshell from the massive Wikileaks document leak: disclosure of the actual computer code for the CIA's alleged cyberweapons.

On Tuesday, the website WikiLeaks published more than 8,000 of what it said were official documents detailing CIA tools for hacking into the software and systems of popular consumer technology, from Windows to iPhones to Android devices. The cyberweapons, the documents suggested, could even turn Samsung smart TVs into eavesdropping spies.

But the crusading site didn't release the code, saying it was postponing release “until a consensus emerges on the technical and political nature of the C.I.A.’s program" and how the cyberweapons could be disarmed.

Simply the existence of such tools, while not surprising to many in the security field, was enough to raise privacy hackles. Enticed by convenience, consumers are increasingly keeping Internet-connected super computers in their pockets, on their dressers and in their cars. These not only know their users' plans, tastes and locations, but also frequently are "listening" for a prompt.

The release of the codes, warn some security experts, would be the cyber equivalent of releasing a neutron bomb in the middle of Times Square.

Suddenly, sophisticated cyber weapons created by one of the world's most powerful intelligence agencies would be available to anyone, from small countries without their own state computer security apparatus to teen hackers in their bedrooms.

The possibilities are giving security experts the willies. Possible potential effects:

- difficult-to-detect eavesdropping software being planted on the phones of millions of users

- the ability to make smartphones running the Android operating system spy on the WiFi networks around them

- access to a program that sits quietly on a device until a specific event or action occurs, which launches it into send mode to a specific "listener."

“There are clear Pearl Harbor Day scenarios,” says Philip Lieberman, president of Los Angeles-based computer security company Lieberman Software. These could range from simple inconveniences — no email — to more troublesome things.

How troublesome? Take the oddball software update glitch in June that make Lexus radio and navigation systems inoperable. Now, consider — as the CIA did in a meeting in 2014, according to the WikiLeaks documents —if a hacker released a code that infiltrated and took over systems in such Internet-connected cars, one that couldn't be reset.

The prospect of what hackers could do with the code is "so mind-boggling that it’s difficult to categorize all the consequences,” says Robert Cattanach, a partner at international law firm Dorsey & Whitney and previously a trial attorney for the Justice Department. “As individuals, we would no longer have any reasonable expectation of privacy,” he said.

Even without the code, the WikiLeaks release is a treasure trove for hackers because simply knowing that something has been done gives them crucial clues about how to build the tools described.

With that in mind, big software companies such as Apple, Microsoft and Samsung are already looking into, and in some cases creating fixes for, these problems. Apple, in a late Tuesday statement, said it's already fixed many of the security issues detailed by WikiLeaks. Samsung said it was "urgently looking into the matter."

“If manufacturers aren’t scrambling now to build patches for these problems, they are being derelict,” says Herbert Lin, a senior research scholar for Cyber Policy and Security at Stanford University.

Code that doesn't get patched, or more likely devices whose owners neglect to update them, would remain vulnerable.

And if the code is released, it would turn the economics of hacking upside down. Where once those with the most resources, like the CIA, had the best code, now it would be available to everyone.

“Smaller countries and other hacking groups just became the benefactor of a massively-funded state level hacking team,” Eric Ahlm, a senior security researcher with Gartner.

Federal authorities on Wednesday launched a criminal investigation into the release of the CIA documents.

For consumers, there are two things they should focus on: "Patch their software when a patch is available and use two-factor authentication whenever available," said Paul Querna, chief technology officer at security company ScaleFT.

Living in a post-privacy world

If the documents are legitimate, as many cybersecurity experts believe they are, it paints an alarming picture of spy agencies more interested in stockpiling vulnerabilities for a future exploit than working with vendors to shore up vulnerabilities.

The escalating digital arms race comes at a time when President Trump has a contentious relationship with with the intelligence community and is in an antagonistic dance with the tech world over American jobs, tariffs and taxes. And it puts the president in a sensitive spot since he famously said, "I love WikiLeaks," for its role in publishing email from the account of Clinton campaign manager John Podesta.

"If the CIA knows of a specific exploit, chances are that the MI6, FSB, MSS and Mossad are aware of it as well," says Slawek Ligier, vice president of engineering at computer security firm Barracuda Networks.

No comments: