Photographee.eu - Fotolia
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss the confusion around WikiLeaks' release of government documents regarding CIA hacking tools.
The Vault 7 documents outlining CIA hacking tools and techniques, including previously undisclosed zero-day vulnerabilities, continue to create a stir following their publication by WikiLeaks.
The Vault 7 documents describe a number of zero-day vulnerabilities for Apple iOS, Google Android, Microsoft Windows and other platforms, as well as hacks for smart TVs and other devices.
While the CIA hacking tools themselves were not published -- the documents only contained descriptions -- the Vault 7 release and WikiLeaks' messaging about the documents created confusion about what the agency's hacking capabilities actually are, and for what purpose they are being used.
For example, WikiLeaks claimed via Twitter that the "CIA can effectively bypass" the encryption in popular messaging apps, such as Signal, WhatsApp and Telegram. However, the Vault 7 documents contain no such encryption breaking exploits, and merely outline how the agency can root a smartphone and obtain messages from the device before they are encrypted and sent by these apps.
The leak also led to criticism of both the CIA and WikiLeaks for not disclosing the zero-day vulnerabilities to affected vendors; the issues of responsible disclosure and the government's Vulnerabilities Equities Process have been hot topics in the infosec industry this year. Days after the Vault 7 release, WikiLeaks made a pledge to disclose the CIA hacking tools to software vendors so they can patch the zero-days.
In this week's episode of SearchSecurity's Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss the leak of the CIA hacking tools documentation and the misinformation and confusion that followed. They also discuss what the leak means for the U.S. government, responsible disclosure practices and enterprise security.