The CIA may be equipped with an arsenal of hacking tools that can give it access to your phone, computer and other devices, according to a report by CBS News.
(Disclosure: CNET is part of CBS Interactive, which is owned by CBS.)
But what's really going on?
Updated March 8 at 2:40p.m. PT with CIA statement.
What did WikiLeaks publish?
WikiLeaks, the organization notorious for leaking highly secure government data, published a cache of documents that reportedly exposes tactics the CIA uses to hack into our devices. WikiLeaks released more than 8,700 documents and files -- codenamed "Vault 7" -- on Tuesday, which it says are part of a CIA archive. We haven't yet independently verified the information.
According to WikiLeaks, the CIA lost control of an archive that details the ways in which it hacks devices. The archive landed in the hands of "former US government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive."
What do I need to know?
Here's the TL;DR: If the info WikiLeaks exposed is accurate, the CIA may be equipped with a variety of tools that let it hack into your phone, smart TV (kind of, more on that later), computer and router. That's basically all the things you own that are connected to the internet.
It turns out that the CIA's tools can be used to read encrypted messages sent on otherwise secure apps like WhatsApp, Signal and Telegram.
How did the CIA respond?
The CIA wouldn't confirm or deny whether the Wikileaks documents are real, but suggested that even if they were, it's kind of, you know, the CIA's job to spy on people -- at least ones outside the United States.
In the CIA's own words, via CBS News:
"We have no comment on the authenticity of purported intelligence documents released by Wikileaks or on the status of any investigation into the source of the documents. However, there are several critical points we would like to make:
CIA's mission is to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries. It is CIA's job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad. America deserves nothing less.
It is also important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so. CIA's activities are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution.
The American public should be deeply troubled by any Wikileaks disclosure designed to damage the Intelligence Community's ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize US personnel and operations, but also equip our adversaries with tools and information to do us harm."
What kind of devices can the CIA hack?
If the report is true, the CIA can hack devices such as:
- Android phones
- Windows and Linux computers
- Mac computers
- Smart TVs (this one's iffy -- see "What is Weeping Angel?" for more)
Can the CIA really read all of my WhatsApp (and other app's) private messages?
WikiLeaks' data dump suggests that, yes, the CIA could read your private messages before they even got encrypted. But again, that's if the info is real. We don't know that yet.
But I thought WhatsApp, Signal and other apps encrypted my messages?
Those apps do employ encryption, but that's useless if the CIA can hack your phone. If you crack the operating system, you don't need to crack the app.
The OS shows what's on screen, listens to you typing or dictating words, and captures that unencrypted original data. If software -- like the alleged CIA hacking software -- can access the phone at that privileged level, it doesn't matter whether data is encrypted at rest (stored on disk/flash memory) or in flight (sent over a network).
One thing we're unsure of is which versions of Google's Android, Apple's iOS, Mac OS X and smart TV software and other operating systems, including from Microsoft, may have been hacked.
How did the CIA hack these devices?
There isn't a single method the CIA uses to hack internet-connected devices. According to the report, the intelligence agency uses a combination of malware, viruses, trojans and zero-day exploits (security holes that a manufacturer isn't yet aware of, and so can't easily patch) to gain access to these devices.
Does this mean devices like my phone and smart TV aren't secure?
We're still not sure. We're actively reaching out to companies mentioned in the WikiLeaks documents and will update this story as the news develops. So far, Apple, Google and Motorola have each declined to comment.
The documents only represent three years of alleged data. We don't know how this program evolved or if it continued after the life of the documents WikiLeaks released. Samsung stated it is aware of the WikiLeaks report and urgently looking into the matter.
Here's what one security expert, whose background includes years of hacking iPhones, says:
What is Weeping Angel?
Weeping Angel is how the CIA (and the UK's MI5) can allegedly hack into a Samsung Smart TV (just the 55" F8000 model). It sounds pretty creepy: Wikileaks documents suggest it could put your TV into a "Fake-Off" mode where the TV turns its screen off, even disables its LEDs, and yet keeps spying on you with its built-in microphones.
But according to the documents, the two groups hadn't yet figured out how to deploy the hack over the internet. Since the documents don't reflect the most up-to-date information, it's unclear if the program was ever refined and deployed.
The hack is pretty aptly named: the Weeping Angel is also a terrifying monster from the UK's popular sci-fi show Doctor Who -- one which isn't deadly when you look at it, but can attack as soon as you blink or look away. Similarly, documents suggest that the Samsung hack didn't work while people were actively watching TV.
Samsung said in a statement on Wednesday, "Protecting consumers' privacy and the security of our devices is a top priority at Samsung. We are aware of the report in question and are urgently looking into the matter."
Is the CIA actually spying on us?
Unclear. Even assuming the documents are legit and the CIA has these tools, Wikileaks isn't accusing the government of using them for mass surveillance -- only of stockpiling vulnerabilities, and paying for vulnerabilities, that could let them theoretically spy on people.
Assuming this program is real, we haven't yet seen evidence that the CIA is using them to spy at all, and even if so, we don't know whether they're being used systematically or on a case-by-case basis.
Who else might be able to spy on us with these tools?
According to Wikileaks, many of these tools were developed internally at the CIA, but -- assuming the documents are legit -- the CIA may have purchased others from contractors, and obtained still others from the NSA and the UK's GCHQ. The Samsung Smart TV hack was also allegedly developed in partnership with the UK's MI5 security agency.
It's possible that other US-friendly government agencies have access to these tools, and it's also possible that the Wikileaks data dump makes these particular vulnerabilities low-hanging fruit for new tools to be produced -- assuming they exist, and assuming vulnerable companies don't patch their devices and software first.
How is this different from what the NSA can do to my devices?
If you want to compare directly to the NSA programs as revealed by Edward Snowden, the main difference is that the CIA's programs appear to be targeted hacking tools that get around the protections on your devices. The NSA programs work to sweep up information from company servers and the backbone of the internet.
Are these hacks still in use?
Maybe, maybe not. The documents that Wikileaks released today only cover the CIA's program from 2013 to 2016, so it's not clear if they're still in use.
We're also not sure which versions of the Google Android, Apple iOS and Mac OS, and Samsung Smart TV operating systems were originally affected -- it's possible that some of these vulnerabilities were patched in subsequent updates.
For some hacks, it's not clear whether the CIA used them at all. For instance, the Wikileaks documents that describe the "Weeping Angel" hack for Samsung Smart TVs are a snapshot from 2014, when the CIA appears to have still been figuring out how to make it work reliably.
Is there anything I can do to secure my phone, TV or PC?
We're not sure. The information currently available indicates the devices the CIA reportedly hacks -- including phones, tablets, smart TVs and computers -- have vulnerabilities that the organization is able to exploit. If that's true, it would mean all affected companies would need to patch these vulnerabilities to secure the devices.
And while we do have instructions on how to keep your Samsung Smart TV from listening to you, it's not clear that these steps would trump the CIA's workarounds. In fact, based on the hack detailed in the report, it wouldn't.
This is a developing story. Check back for updates.
Stephen Shankland and Patrick Holland contributed to this story.