Are these documents for real? The CIA, naturally, isn’t saying. The collection could come from Russian spies and be a complete head fake. The documents don’t include any code for the hacking tools mentioned, so it is hard to prove their authenticity. Bleeping Computer has this list of the actual tool names and what they do.
What is new? Not much. While the knowledge about the specific scope and depth of activities is new, overall this is what the CIA and other spy agencies do: they target specific individuals and try to gain access to their digital lives. The New York Times says, “But the CIA program seems to have been particularly sophisticated, far-reaching and focused on surveillance.” The bad news, according to security writer Matt Blaze, “is that platform exploits are very powerful. The good news is that they have to target you in order to read your messages.”
Are they hoarding specialized “zero day” exploits? Unclear. One report says the CIA had produced 24 different Android “zero day” software programs. Another says not true: “they aren't keeping 0days back in a vault somewhere -- if they have 0days, they are using them.” Indications are none of this is truly state of the hacking art. (See this internal document on comparisons between what the hacking groups of the CIA and NSA have accomplished.) Robert Graham blogs that “The sort of thing the [CIA does] is bribe, blackmail, or bedazzle some human asset (like a technician in a nuclear plant) to stick a USB drive into a slot.”
But this proves that the CIA is neutralizing encryption, right? Wrong. What was discussed was leveraging physical access to the entire device and all of the apps running on it. Nothing new here, despite what the NYTimes and Mashable tweeted and reported on (and later corrected).
What has been the reaction of the vendors involved? Apple, Microsoft and Samsung have released various statements that range from “we are looking into the exploits mentioned” to “nothing to see here, move on,” according to the BBC. Apple’s response for example, said they have fixed many of the exploits already. Google hasn’t said anything about the various Android exploits. It will take some time to suss this all out, to be sure.
What, me worry? Not so much. “Unless you're a high-value target, such as a terrorist, arms dealer, foreign politician or diplomat or, well, a spy, the CIA will probably not be interested in what's on your phone,” says Tom’s Guides. Agreed.
Should you toss out your Alexa/Google Home device? Yes, if you are ultra paranoid. And maybe you should unplug that smart TV too when you aren’t using it. Although the documents don’t talk about remotely accessing a TV: a spy still needs physical access to your living room to install malware on your TV, smartphone or computer. At least, the kind of malware mentioned in these documents.
What can ordinary business folks learn from this? These suggestions to people traveling to Germany, such as having a low-credit line card used exclusively for travel, pick your hotels carefully and carry a minimal laptop are interesting and could be instructive. In the meantime, keep your phones and other devices updated to the latest OS releases.
How damaging is this trove of documents to our national security? Estimates vary all over the map. "First, the CIA’s ability to access the target devices and technologies is certainly compromised. Second, the release appears to contain highly sensitive organizational and operational internal CIA information, the uses of which by foreign intelligence services can only be imagined. Third, actual tools used for hacking by the CIA appear to have been obtained, but not yet released." These are opinions of Robert Cattanach, a partner at the law firm Dorsey & Whitney.