WikiLeaks published a trove of purported CIA files this week, renewing debate over government hacking and surveillance techniques. But many experts say the anti-secrecy group’s analysis of the data may have been intentionally misleading.
The batch of documents published Monday, the first in what WikiLeaks says will be a string of releases it’s calling “Vault 7,” contains descriptions of hacking tools, engineering notes, internal communications and more.
But while intelligence officials and lawmakers believe the documents are valid, experts say WikiLeaks may be overplaying its hand.
“As usual, the documents dumped appear to be real. But this analysis was just bonkers,” said Nicholas Weaver, a researcher at the International Computer Science Institute at the University of California at Berkeley.
The CIA said in a statement Wednesday afternoon that it's the agency's job is to be the first line of defense against America's enemies.
"The American public should be deeply troubled by any WikiLeaks disclosure designed to damage the Intelligence Community’s ability to protect America against terrorists and other adversaries," the statement read. "Such disclosures not only jeopardize US personnel and operations, but also equip our adversaries with tools and information to do us harm."
Security professionals point to a number of conclusions drawn by WikiLeaks in its summary of the release that go well beyond the facts.
A number of misleading statements that exaggerate the documents’ descriptions of CIA capabilities, Weaver said, leads him to assume WikiLeaks is intentionally skewing the documents’ contents.
“WikiLeaks is and has been for a few years just a sabotage organization mostly interested in denigrating big targets,” he said.
Robert L. Deitz, a former counselor to the CIA director and the NSA, agreed with Weaver’s assessment.
“To me he’s like Samson in the temple, pulling down everything on everybody’s heads,” he said, seemingly referring to WikiLeaks founder Julian Assange.
Among WikiLeaks’ conclusions from the documents were that the CIA has a method to defeat encryption from popular apps, could easily spy on anyone with a Samsung smart TV, and could hack into cars’ control systems. But those claims overstate the contents of the documents.
And some information — for example, that intelligence agencies can hack cell phones or that internet-connected devices are vulnerable to hackers — were already widely known.
For example, the FBI’s investigation into the terrorist attack in San Bernardino, Calif., thrust Apple into the spotlight over its refusal to create a so-called back door into the shooter’s iPhone. The FBI ultimately revealed that it had managed to hack the phone without the tech company’s help.
The WikiLeaks press release that accompanied the documents also said that the CIA can “bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied.”
Outlets including the New York Times reported this as if the CIA had a way to target these specific apps. The Times eventually retracted the claim.
Any time hackers gain complete access to a system, they also can access unencrypted data, including data that is on its way to encryption like messages or other info sent over secure apps. So the CIA’s well-known hacking capabilities would allow it to gather data sent via apps, but not with any app-specific tool. The documents do not even appear to specifically mention the apps WikiLeaks listed.
Deitz, now a professor at George Mason University, said much of the information revealed by the leaks are not new or surprising to anyone familiar with basic U.S. intelligence operations and reports of electronic devices’ security flaws.
“If the government didn’t have that capability, people ought to be fired,” he said.
WikiLeaks also claimed in its release that the CIA had the ability to carry out “nearly undetectable assassinations” by hacking into cars.
“As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks. The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations,” the release reads, with a link to a meeting agenda.
But the attached agenda does not say that infecting a control system would be used to manipulate the car in any way. In fact, the lone mention of car hacking comes in a bullet-point list immediately following details about surveillance through smart televisions. Experts contacted by The Hill said the most likely reason the CIA has for developing automotive hacking is also surveillance — co-opting microphones used for voice controls and OnStar into eavesdropping devices.
The press release describes the CIA’s widely reported program to hack Samsung smart televisions by painting a picture of George Orwell's “1984,” where all rooms are spied upon by cameras in televisions. It led many news outlets to cover the smart television hacks as having the potential for mass surveillance.
However, the leaked documents describe the hacking method as requiring in-person access to a television, meaning it could only be used in extremely targeted instances.
“In fact, most of what these documents show is that the CIA hacks people in an extremely targeted manner. When the [Edward] Snowden documents came out, that’s what everyone said they wanted,” said Robert M. Lee, the CEO of the security firm Dragos and a fellow at the New America think tank.
The most concerning thing mentioned in the press release, said Lee, was something picked up widely in right-wing media: CIA programs used to disguise its hacking tracks as another attacker, implicating doubt on political attacks on the Democratic National Committee and others attributed to Russia.
But Lee said that security professionals are aware that nations and other hackers have similar capabilities and know how to stop it.
“We’ve known this for a long time and known how to counter it for a long time,” said Lee, who went on to say he was still confident in the director of national intelligence’s conclusion that Russia was behind election-season cyberattacks.
All the experts The Hill spoke to agree that even if WikiLeaks’ analysis is misleading, there could still be important news within the documents.
Dietz noted that the NSA, not the CIA, traditionally handles signals intelligence — meaning the CIA might have overstepped its jurisdiction. And every expert agreed it was extremely concerning that someone was able to download so much data from a secure CIA network and hand it off to WikiLeaks.
The overinflated claims, said Lee, only serve to sow distrust between the president and intelligence agencies, citizens and the government and the U.S. and the rest of the world.
“Once WikiLeaks establishes it is the only true news source, than it can say whatever it wants,” he said.