WikiLeaks Documents Detail Alleged CIA Hacking Tools

David Greene talks with Jake Williams of the cybersecurity firm Rendition InfoSec about documents released by WikiLeaks that purportedly describe tools the CIA uses to spy on electronic devices.

DAVID GREENE, HOST:

And two big questions this morning - how damaging is this for the CIA? And does this mean the government can spy on us in ways we never imagined? We're going to talk this through now. We are talking about a huge collection of documents that were released yesterday by WikiLeaks. These files - if they are authentic - are said to be from the CIA's secret hacking program. We're seeing details about the tools the government uses to break into computers and mobile phones and maybe even use televisions to spy. In response to this leak, the government is confirming nothing. Here's White House Press Secretary Sean Spicer.

(SOUNDBITE OF ARCHIVED RECORDING)

SEAN SPICER: I'm not going to comment on that. I think, obviously, that's something that has not been fully evaluated. And if it was, I would not comment from here on that.

GREENE: We're joined now on Skype by Jake Williams. He is with the cybersecurity firm Rendition InfoSec. Mr. Williams, welcome to the program.

JAKE WILLIAMS: Good morning, David.

GREENE: So are these documents authentic?

WILLIAMS: Everything that we've read so far seems to suggest the fact that they're authentic.

GREENE: And why do you think that? What are you seeing that makes you believe that?

WILLIAMS: There's actually a number of technical conversations in the documents where they're evaluating some open-source material, stuff that we can validate independently and download ourselves. The kinds of conversations they're having, one, are a hundred percent technically accurate. And two, they're the kind of conversations that only someone involved in government-sponsored hacking would be having.

GREENE: OK. So if we move on with that assumption at least, I mean, it sounds like Wikileaks redacted actual source code that the CIA might be using. But these are details, it looks like, of how the agency can crack into technology, where vulnerabilities are. I mean, how damaging is this for the CIA?

WILLIAMS: Well - so first off, they didn't redact a hundred percent of the source code. And in several of the documents that are released, there are what we would call code snippets, or library-type functions, that can be included and in the documentation, in fact, states have been included in some of the CIA tools.

GREENE: So how big a deal is that, if there's some actual source code and then all these details out there now?

WILLIAMS: Yeah, sure, it's a huge deal. This allows some of our researchers basically to start building signatures to detect this stuff in the wild.

GREENE: Building signatures - I mean, so this would be not just companies, say, here in the United States but, I mean, companies in other countries that might now be able to find ways to get rid of these vulnerabilities and make them less accessible to our intelligence agencies.

WILLIAMS: Oh, absolutely. And not only that, we also have to worry about attackers in other countries taking this code and repurposing it for their own.

GREENE: Well, I mean - if I understand the law correctly, the CIA is not supposed to be spying on Americans. They would be using these tools on foreign soil. So if we just think this through here, it makes me wonder if this dump from WikiLeaks really is making us, Americans, less safe and potentially helping other countries, like, say, Russia.

WILLIAMS: I think that there's probably little doubt that, in the short term, America is less safe because of the dump. Of course, this brings back the whole zero-day argument that we've been having for quite some time.

GREENE: And remind us of that argument.

WILLIAMS: Well, the zero-day argument comes down to, you find a vulnerability. Do you report that to the vendor so that they can fix it for everybody, or do you leave yourself potentially exposed to anyone else who has found it and still use it to exploit targets for intelligence value?

GREENE: But how worried should we be that a country like Russia might use this now?

WILLIAMS: Well, none of the exploits themselves have been published - or the vulnerabilities themselves have been published. All we have so far are the actual tools used to hide and steal data.

GREENE: Do you think the CIA is spying on us here in this country on mobile devices, internet TVs, you know, apps like WhatsApp?

WILLIAMS: You know, that's something I've talked to a lot of people about over the last 24 hours, as you can imagine. And honestly, I don't think you or I have any risk of being spied on by the CIA. I think there are far more interesting people out there for them to spy on.

GREENE: What does this tell us, though, about the state of electronic privacy today? I mean, is there such a thing as privacy even left?

WILLIAMS: I think it's eroding rapidly, if it even exists at this point.

GREENE: And is that a problem in your mind?

WILLIAMS: Yeah. I mean, I have stuff on my smartphone - and I suspect we all do - that we would prefer not everybody be able to read. So yeah, I think it's definitely a problem, and, you know, I suspect that manufacturers are going to continue to try to close that privacy gap.

GREENE: OK. Jake Williams is with the cybersecurity firm Rendition InfoSec, and he joined us via Skype.

Thanks so much. We appreciate it.

WILLIAMS: Thank you.

Copyright © 2017 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.