Last week the interweb was a-dither about the latest data dump from WikiLeaks involving thousands of pages of internal discussions at the CIA about various hacking techniques that enable them to – among other things – eavesdrop on smartphones and WhatsApp chat threads, convert a smart TV into a surveillance mike, and take control of a connected car.
Much of the commentary has been predictably political – and no surprise, given both the general state of things (i.e. just about everything is political) and WikiLeaks positioning itself as a political actor via its admitted attempt to influence the US election in favor of Donald Trump.
Apart from that, I only have a few things to say about it:
1. We’re talking 8,000+ pages of documents here. People are still going through them, and what we know is massively outweighed by what we don’t yet know. Any sensible commentary will take this into account.
3. Based on what we do know so far, this ain’t Snowden 2.0. The CIA does have the authority to do this kind of thing (provided they go through proper channels and limit their targets to proper suspects, as opposed to the mass data collection that the NSA was engaged in). So it’s no real surprise that they have this ability. They are essentially a spy agency, after all. (Whether or not they should have these kinds of surveillance capabilities is another discussion.)
4. For my money, the crucial takeaway is that we need to put even greater emphasis on the importance of security in the coming Digital IoT era where everything is connected and the network is software. We already know the sorry state of IoT security today. The CIA data dump is mostly a reminder that hackers aren’t the only ones keen to exploit those security vulnerabilities.
It also serves notice that government agencies do not have a vested interest in warning OEMs and software developers when a vulnerability has been discovered. Indeed, they’d much rather collect them and use them. The same arguably goes for groups like WikiLeaks, argues Herb Lin at LawFare:
The Wikileaks press release says that the CIA hoarded vulnerabilities rather than disclosing them, and thereby compromised the security of the affected devices. No evidence has emerged that the CIA planted vulnerabilities, so in fact, the actor most immediately responsible for compromising the security of the affected devices is Wikileaks itself. Wikileaks had the option of contacting vendors and notifying them privately so that they could patch the vulnerabilities—but they chose to announce them without giving vendors that chance.
We’re going to be learning a lot about the CIA documents in the next couple of weeks, so we’ll see if there are any bombshells buried in them. In the meantime, security needs to be top priority for everyone in the IoT value chain, regardless of who is trying to break in.