WikiLeaks publishes documents claiming CIA can spy through smart TVs, phones and cars

Posted at 12:26 AM, Mar 08, 2017
and last updated 2017-03-08 09:26:19-05

NEW YORK (AP) -- Maybe the CIA is spying on you through your television set after all.

Documents released by WikiLeaks allege a CIA surveillance program that targets everyday gadgets ranging from smart TVs to smartphones to cars. Such snooping, WikiLeaks said, could turn some of these devices into recorders of everyday conversations -- and could also circumvent data-scrambling encryption on communications apps such as Facebook's WhatsApp.

WikiLeaks is, for now, withholding details on the specific hacks used "until a consensus emerges" on the nature of the CIA's program and how the methods should be "analyzed, disarmed and published." But WikiLeaks -- a nonprofit that routinely publishes confidential documents, frequently from government sources -- claims that the data and documents it obtained reveal a broad program to bypass security measures on everyday products.

"It’s more than alarming," HealthGuard Security CEO Apolonio Garcia said of the information. "This is about as scary as it gets."

Raphael Satter, who covers cyber security topics for the Associated Press, said the release of the documents had his contacts within the CIA on edge because the agency feels that its own privacy might have been compromised. If the information in the leaked files is authentic, WikiLeaks could have exposed the CIA's most important information-gathering methods to the entire world.

"I just spoke to a former CIA officer who told me this was really bad," Satter said Tuesday. "He said that there would be a serious reckoning within the CIA. … This is, in some ways, Wikileaks' most daring release yet."

If true, the disclosure could spark new privacy tensions between the government and the technology industry. Relations have been fraught since 2013, when former National Security Agency contractor Edward Snowden disclosed secret NSA surveillance of phone and digital communications.

Just last year, the two sides feuded over the FBI's calls for Apple to rewrite its operating system so that agents could break into the locked iPhone used by one of the San Bernardino attackers. The FBI ultimately broke into the phone with the help of an outside party; the agency has neither disclosed the party nor the nature of the vulnerability, preventing Apple from fixing it.

According to WikiLeaks, much of the CIA program centered on dozens of vulnerabilities it discovered but didn't disclose to the gadget makers. Common practice calls for government agencies to disclose such flaws to companies privately, so that they could fix them.

Instead, WikiLeaks claims, the CIA held on to the knowledge in order to conduct a variety of attacks. As a result, tech companies such as Apple, Google and Microsoft haven't been able to make the necessary fixes.

"Serious vulnerabilities not disclosed to the manufacturers places huge swathes of the population and critical infrastructure at risk to foreign intelligence or cyber criminals who independently discover or hear rumors of the vulnerability," WikiLeaks wrote in a press release. "If the CIA can discover such vulnerabilities so can others."

Not everyone is worried, though.

Alan Paller, director of research for the cybersecurity training outfit SANS Institute, said the case boils down to "spies who use their tools to do what they are paid to do." He said criminals already have similar tools - and he's more worried about that.

Rich Mogull, CEO of the security research firm Securosis, said that agencies gathering intelligence on other organizations and governments need, by definition, technical exploits that aren't public.

If they're authentic, the leaked CIA documents frame a stark reality: It may be that no digital conversation, photo or other slice of life can be shielded from spies and other intruders prying into smartphones, personal computers, tablets or just about device connected to the internet.

"It's getting to the point where anything you say, write or electronically transmit on a phone, you have to assume that it is going to be compromised in some way," said Robert Cattanach, a former U.S. Department of Justice attorney who now specializes in cybersecurity and privacy for the law firm Dorsey & Whitney.