News

WikiLeaks’ Release on CIA Hacking Tools Raises Concerns about IoT Security to New Heights

March 13, 2017 by Chantelle Dubois

The CIA has a trove of tools that takes advantages of exploits in connected devices. Have we set ourselves up for a perfect storm of constant surveillance and vulnerability?

The IoT is changing the world. But the recent WikiLeaks report that the CIA has the ability to access and even control IoT devices raises more questions than ever about whether connectivity sacrifices security.

The concept of the “Internet of Things” exploded in 2016, with many new devices able to connect to the Internet that weren’t before. Aside from the usual devices such as smartphones and personal computers, connectivity features are being increasingly designed into automotives, home appliances, fitness devices, and more.

Now, a recent WikiLeaks report claims that the CIA has a trove of tools that takes advantages of exploits in connected devices, the very IoT that we've been expanding. Have we set ourselves up for a perfect storm of constant surveillance and vulnerability? If so, how can we stay safe?

The CIA and WikiLeaks

The purpose of the CIA is to collect, analyze, and recommend or carry out actions in response to foreign intelligence that has relevance to national security. Typically, the CIA has little to do with domestic intelligence collection, focusing instead on counterterrorism, counterintelligence, and cyber intelligence.

The CIA reports to the Director of National Intelligence, a cabinet official of the US government, who in turn reports to and advises the President, as well as heads the US Intelligence Community and the National Intelligence Program.

Many countries in the world have some sort of intelligence agency for both security and foreign intelligence gathering. While the public may see intelligence agencies as being ominous, their purpose is to keep the nation they are serving safe. Whether they overstep their bounds when doing so is another topic.

Earlier this week the Internet lit up when WikiLeaks released Year Zero which is part of the Vault 7 series of leaks on the hacking capabilities of the CIA. Year Zero contains over 8,000 documents outlining the use or discussion of tools that can be used to exploit software that can manipulate smart TVs, control systems in automotives, and give access to smartphones running iOS and Android, as well as devices using Windows, OSx, and Linux.

Considering that nearly all mainstream devices use at least one of these software systems, the idea that the CIA—or anyone equally capable—has the ability to take advantage of exploits to access to such devices is concerning indeed.

The WikiLeaks release also highlights that the CIA did not reveal vulnerabilities to US manufacturers, despite committing to do so. So, companies like Apple, Samsung, and others were not able to address these security issues to prevent exploitation. To an extent, this robs designers and manufacturers of the opportunity to make their devices as safe as possible.

 

If you're writing about the CIA/@Wikileaks story, here's the big deal: first public evidence USG secretly paying to keep US software unsafe. pic.twitter.com/kYi0NC2mOp

— Edward Snowden (@Snowden) March 7, 2017

 

In response to the leak, the CIA released a statement, part of which states:

 

"CIA’s mission is to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries. It is CIA’s job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad. America deserves nothing less.

It is also important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so. CIA’s activities are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution."

 

However, perhaps the most concerning part of this leak is that it suggests control of these tools has been lost. Anyone with access to these tools now has access to all the exploits described in the documents, if they do indeed exist.

 

This satire video jokingly explains how to tell if you are vulnerable to CIA hacking tools.

Being Connected with the IoT

The WikiLeaks documents are significant because they suggest that exploits are being taken advantage of in systems that have fairly sophisticated security measures in place.

However, with today's prevalence of IoT connectivity, it is possible manufacturers may not realize how their devices can be exploited and may not be putting in the same effort to maintain the integrity of their systems, especially if they have low processing power or have very basic functions. Anyone with some technical knowledge and the ability to conduct a Google search can possibly gain access to webcams, or other connected devices. There are also services online that index devices that are connected to the Internet and not secured.

Last October, this very vulnerability in IoT devices was taken advantage of to conduct DDoS on a range of websites and online services, including Spotify, Twitter, and Reddit. This attack on Dyn servers is considered one of the worst infrastructure attacks to date.

While the idea of not being able to access your favourite social media platform for a period of time may seem trivial, it’s the potential misuse of control that sends shivers down security experts' spines. Being able to conduct large-scale DDoS attacks on any website at any time by recruiting the help of IoT devices that lack security means that parts of the Internet can be shut down at will. The Internet is a powerful tool that can provide access, communication, and information and the consequences of destabilizing it are unforeseen. Cisco predicts that by 2020 there will be 50 billion “things” connected to the Internet.

 

Image courtesy of CISCO

 

Further, IoT devices can also be used to access personal information, observe or record device users, and give access to any information or control the device has with relatively little effort.

In the automotive industry, it has already been acknowledged by automotive manufacturers themselves quite widely that connected automotive systems are highly vulnerable.

IoT has been an incredibly helpful, innovative concept that has made information gathering, technology control, and user experiences much better. It has been used to make farming more efficient, allows users to understand their health better, helps drivers navigate high traffic areas, and much more. But security must remain a high priority for designers and manufacturers. IoT is a multi-layered concept that involves apps, software, hardware, users, and designers that all need to work together to maintain integrity.

Staying Secure

There are already some basic steps one can take to provide more security in their everday lives with IoT devices:

  • Be aware of what data your IoT device is collecting and what it is doing with that data.
  • Review built-in security settings and change them from the default settings—the use of default passwords is a perfect example of an easy vulnerability.
  • If you don’t need a device to be connected to the Internet, leave it offline.
  • Be aware of which devices are uploading content to a cloud service (and turn it off if you don’t need it or want it).
  • Have a separate network for your IoT devices. Many routers allow multiple access points with their own passwords so you can keep your IoT devices and personal devices (phone, laptop) seperate.
  • Keep software up to date.

There are many organizations and companies that have some version of best practices for IoT devices including the IoT Security FoundationGemalto, and CISCO.

The Institute for Critical Infrastructure Technology, which is a technology think tank based out of Washington DC, calls for regulation of IoT security, calling the Dyn DDoS attack a “practice run”. Their report on the matter explains the basic operation of the Internet, DDoS attacks, and other examples of DDoS attacks that were aided by unsecured IoT.

As for how to protect yourself from the vulnerabilities demonstrated in the WikiLeaks release, it is less clear, but some suggestions circulating are:

  • Update the software your Android and iOS devices and keep it up to date. Apple had acknowledged that some of the vulnerabilities in the WikiLeaks release were already resolved, and that they are working to resolve the rest.
  • Only install apps from verified sources.
  • Update security software on your personal computers.

Though, perhaps, the safest way to approach IoT devices is not to own them at all. With these security revelations now public knowledge, the responsibility of keeping our tech safe has now been diluted a step further. It falls to designers, manufacturers, and consumers to be proactive about IoT security. 

 

This photo of Mark Zuckerberg in June 2016 shows the Facebook CEO keeps his laptop’s camera and microphone covered which piqued the interest of many viewers online. Image courtesy of Facebook.

Feature image courtesy of WikiLeaks.