CIA hacking tools: Should we be worried?

image copyrightAP

Thousands of documents said to detail the CIA's hacking tools were published by Wikileaks on Tuesday.

They included allegations that the CIA had developed ways to listen in on smartphone and smart TV microphones.

The CIA has been criticised by civil rights groups who say the agency "stockpiled" security flaws in devices to use them for its work, but left the population at risk by doing so.

"Our digital security has been compromised because the CIA has been stockpiling vulnerabilities rather than working with companies to patch them," said Nathan White, from the civil liberties group Access Now.

Should we be worried?

"It's not a surprise that people who have a mission to find bad guys and protect nations are using every means at their disposal to gather intelligence on a focused target," said Don Smith from cybersecurity firm SecureWorks.

"If the CIA doesn't have capabilities for eavesdropping, it's not doing its job."

Alan Woodward, a security researcher who advises Europol and previously advised UK spy agency GCHQ, said the public should be "encouraged" by the information published.

"Most of the leaked documents are about targeted attacks. This is not about mass surveillance and vacuuming up a haystack of data to search for a needle," he told the BBC.

"They need warrants, they can't just tap in to any phone - it doesn't work like that. One of the reasons people have faith in the security services is that they tend to obey the law, and when they don't it comes out.

"If Wikileaks has the code behind these exploits, it has a responsibility not to publish that. To do so would expose the public to the very real danger of criminals reusing those exploits still working. These were kept in a controlled environment for a reason."

However, Access Now said the CIA's decision to keep security flaws to itself had "significant repercussions for human rights and digital security".

Whistleblower Edward Snowden criticised the scope of the CIA's methods.

"Imagine a world where the actual CIA spends its time figuring out how to spy on you through your TV," he wrote on Twitter. "That's today".

Are 'smart' devices safe?

image copyrightGetty Images
image captionMany home gadgets are now connected to the internet

Homes are becoming increasingly "smart", with everything from light switches to voice-activated kitchen appliances connected to the internet. If unsecured, these could reveal our activities in the home.

"The concept that intelligence agencies are doing broad personal surveillance using these devices is not realistic," said Mr Smith.

"I would be amazed if that was the case because the resources to make sense of all the data just aren't there.

"My concern is much more what online criminals might be able to achieve with these devices. There are plenty of examples of things such as baby monitors being open to the wider internet."

The documents published by Wikileaks detail ways in which some Samsung televisions could be used to spy on their owners. Mr Woodward said it was unlikely the exploit was widely used.

"They're talking about a few models of Samsung TV. If you read the documents, they have been vulnerable for a while. It would be surprising if the CIA was not looking into that," he said.

"Has the CIA remotely hacked them? No. They have to get into your home and plug a USB drive in to them. It's a high risk. If you have to get in to somebody's house you can give yourself away."

image copyrightGetty Images
image captionEven fridge-freezers can be connected to the internet

Mr Woodward said anybody worried that their appliances were spying on them could "unplug them at the wall".

That advice may not help those with a modern voice-controlled fridge-freezer, the likes of which have started to go on sale.

However, SecureWorks' Mike McLellan, who previously worked at the UK government's National Cyber Security Centre, said the average household should have "bigger concerns".

"You are more likely to be a victim of cybercrime or ransomware, than happen to become a subject of interest for an intelligence agency."

Can the CIA read my WhatsApp or Signal messages?

image copyrightGetty Images
image captionMany messaging apps now encrypt content

Encrypted messaging apps offer people some peace of mind that their private messages cannot be intercepted as they travel across the internet, as the messages are scrambled.

The CIA documents describe methods to compromise smartphone operating systems such as Android and iOS, which could let agents read messages sent via encrypted services such as WhatsApp and Signal.

Mr Woodward said the documents did not suggest the CIA had "cracked" the encryption of either platform. Instead, messages could be read by compromising the "end point" - the sender or receiver's smartphone - where the messages are already decrypted.

He said the documents indicated that governments "accept that encryption is going to become commonplace on networks" and that they must focus efforts on "getting in to the end points to read messages".

"They know banning encryption is not going to work," he said.

Should the CIA have helped fix security flaws?

Mr Snowden has described the CIA as "reckless beyond words", for keeping knowledge of security holes in devices such as smartphones to itself.

"The CIA reports show the [United States government] developing vulnerabilities in US products, then intentionally keeping the holes open," he wrote on Twitter.

"Why is this dangerous? Because until closed, any hacker can use the security hole the CIA left open to break in to any iPhone in the world."

Mr Woodward said he was not surprised that the CIA had not disclosed security holes it had found to manufacturers such as Apple and Google.

image copyrightGetty Images
image captionSoftware flaws in a smartphone could compromise security

"If your mission is to spy, are you going to tell people something only you know about?" he asked.

"This is the CIA, not a computer security agency. If they have [exploits] they are going to use them. It's somebody else's job to fix them."

Mr McLellan said it was "a fact of life that intelligence agencies will look for security vulnerabilities", but added that private companies were also searching for flaws and "selling them to the highest bidder".

That concerns Mr White, who suggests keeping flaws secret puts ordinary citizens at risk.

"It's simply a fantasy to believe that only the 'good guys' will be able to use these tools," he said in a blogpost.

"It is critical for governments, law enforcement, technologists, and civil society to have an honest conversation about the impact of government hacking in the digital age."

However, Mr Woodward said it was likely that many of the security flaws in the leaked documents had already been fixed.

"The idea that the CIA is hoarding [security flaws] is not true. These things are relatively rare... and fixes for them move so quickly that a year or two is almost another era in technical terms," he said.

"I would be surprised if they were 'stockpiling' such exploits. I think you'll find they use them while they still can."

Will artificial intelligence threaten our privacy?

Routine recording of the population would be a huge, and potentially unfeasible, undertaking for an intelligence agency. However, developments in artificial intelligence could make processing data faster and easier.

Companies - including Amazon and Google - already sell voice-controlled speakers and smartphones that can understand commands and transcribe speech. Such technology could one day be used to help monitor citizens.

image copyrightReuters
image captionSpeakers such as Google Home can understand voice commands

"There is the ability to collect telephony en masse now," said Mr Smith. "AI may speed it up and make more sense of the data, but I don't think it's something the average person should be worried about. It could be a future risk, among many future risks."

Mr Woodward added: "Think of the volumes of data you'd be dealing with. They don't have the ability to record every phone conversation in the world, let alone every conversation within ear-shot of a phone.

"If you're not a person of interest, they just don't have the capacity."

More on this story