14 DAY TRIAL // The CIA has been hoarding zero-day vulnerabilities, hoping to get the upper hand on those pesky little companies half the world uses - Google, Apple, Microsoft, and others. Furthermore, it used one of these vulnerabilities to build malware that can hack devices that have run Twitter accounts.
The revelations are made in the Vault 7 files released by Wikileaks, which explain how the CIA has a massive collection of hacking tools.
While most of the files are inaccessible at this point, WikiLeaks does give one example. By using malware, CIA was able to penetrate, infest and control both the Android phones and iPhones that run or have run Twitter accounts, including the President's phone.
They claim the CIA used undisclosed security vulnerabilities to build the malware. This means that if the CIA can hack the phones, so can anyone else who discovered it after them. If the CIA does not disclose the zero-day bugs, Google and Apple can't fix them.
It seems that the vulnerability applies to the population at large, not just select few in the Oval Office. The list does include, however, members of the government, CEOs, system administrators, law enforcement officers, and so on.
An unkept promise
Following Edward Snowden's NSA leaks, the US technology industry made the Obama administration commit to disclose serious vulnerabilities. If you remember, back when OpenSSL critical bug Heartbleed was exposed, the NSA admitted that they'd known of zero-day vulnerabilities in the past, although they weren't aware of Heartbleed per se.
Well, it seems that its sister agency, the CIA, was doing its best not to disclose such vulnerabilities in order to exploit them, especially since the likes of Google, Apple and Microsoft refused to cooperate fully with law enforcement when asked to crack open their codes.
Hoarding such vulnerabilities and not disclosing them so that the companies affected could fix them put huge numbers of users at risk both in the face of regular cyber criminals and foreign intelligence agencies. After all, if the CIA can discover the vulnerabilities, so can others.
"Year Zero" documents, as the case has been dubbed, show that the CIA breached the commitments made by the Obama administration, although we're not very sure why anyone would actually take their word for it in the first place. It seems that many of the vulnerabilities used by the CIA are pervasive and some may have already been found by rival intelligence agencies or cyber criminals, endangering all the users of the affected services.