Vault 7 - New CIA leak demonstrates need for first-party security

As I have mentioned several times in the past, security is of the utmost priority in the digital age. Protecting ourselves against cyber-attacks is vital. However, these attacks are not always obvious. In fact, sometimes they come from places you’d least expect.

On Tuesday, WikiLeaks released a huge bundle of documents which allegedly detail hacking tools and exploits for virtually every major software platform, including iOS and Android. The first batch of documents was codenamed Year Zero whereas the leak as a whole has been dubbed Vault 7 by WikiLeaks.

Though the CIA has neither confirmed nor denied the authenticity of the documents, they do seem to be real. They come in many different forms, including instructions and simple descriptions. The gist of Vault 7 is that the CIA, along with other intelligence agencies, have found ways to circumvent protection measures in major software platforms.

In the iOS and Android documents, a variety of security issues are disclosed. The CIA lists a number of different vulnerabilities and how they managed to exploit them. Using such exploits, the agency was apparently able to bypass encryption measures in apps such as Signal, Telegram, and WhatsApp by collecting data traffic before any type of encryption had been applied.

Exploits for other platforms are also discussed in detail. For example, a Samsung Smart TV was essentially turned into an audio bug in an MI5 project called “Weeping Angel”. Numerous other hacks are explained in detail, providing a wealth of information to Vault 7’s intended readers.

For their part, Google, Apple, and others have maintained that these exploits have all been fixed. In addition to that, all tech companies have once again attempted to remind the world that security is at the top of their priority list. These statements, along with the documents themselves, should all be taken with a grain of salt.

The point to make here, however, is that first-party security is vital. Even if Apple, Google, Microsoft, Samsung, and all the other companies involved in these exploits had their users’ best interests at heart, they often fail to protect them.

In the present day, maintaining one’s privacy and security is seemingly impossible. The choice seems to boil down to whether you wish to use digital services or remain anonymous; the two are seemingly exclusive.

On Wednesday, FBI Director James Comey said something very interesting: “There is no such thing as absolute privacy in America”. To put things in context, Comey was talking about “appropriate circumstances” where a judge, for instance, can dictate the release of private communications.

Though Comey later added that Americans indeed value privacy and that they should have a “reasonable expectation of privacy in [their] homes, in [their] cars, in [their] devices”, such comments should always be measured against the political climate that has surrounded privacy not just with President Trump’s administration but also before that.

Vault 7 is only the latest in a long series of revelations that intelligence agencies and other governmental institutions will practically stop at nothing to obtain information. With tech companies collecting more and more data, and the digital world becoming increasingly transparent on only one part of the scale, how can private citizens remain, well, private?