Vault7 leak should mark the end of Internet of Things

Yesterday’s Wikileaks dump shouldn’t be all that surprising. Intelligence gathering organisations hack electronic devices to gather intelligence — it’s their job. There are several aspects that worry me though.

First of all, a lot of their ability seems to rely on ‘zero day’ vulnerabilities. These are security vulnerabilities that the software developer does not know about. When deciding whether to exploit these vulnerabilities or report them to be fixed, the security agencies need to balance the potential benefit of exploiting the vulnerability with the risk to the public of not reporting it. The information in this leak suggests they aren’t equipped to do that balancing act. A zero day vulnerability allowing you to bypass encryption in some of the most popular messaging apps is dangerous. It should be reported and fixed immediately, not exploited.

I am also worried about the potential end game. The leaks mention that the Samsung F8000 TV set has successfully been turned into a covert listening device. The TV appears switched off yet the microphone is still live. Where does this end? In conjunction with the Snowden leaks and dragnet surveillance it seems like it’s only a matter of time until every microphone is enabled and recording without our knowledge. I’ve always been concerned about Amazon’s Echo from a privacy perspective. Now, frankly, I’m terrified. There are millions of listening devices in people’s homes, potentially already exploited.

The rise of the ‘internet of things’ is filling homes with devices which contain microphones, cameras, and provide lots of utility. This final point is the problem. Consumers benefit from devices which can be turned into surveillance equipment. They also generally believe “if you’ve got nothing to hide…” is valid reasoning. These leaks won’t worry them much and certainly not enough to give up the benefit of their smart devices.

Technical solutions to these problems will only get us so far. At the end of the day a lot of this was done exploiting zero days and code will always contain bugs. We can encrypt our communications and there still might be unknown vulnerabilities the intelligence agencies can exploit. The problem needs tackled from a legal and policy perspective as it’s only there where there can be real change. We need to educate so that “if you’ve got nothing to hide…” no longer seems like a valid position. And we need to ensure organisations like the EFF and Privacy International have the support necessary to continue to fight intrusions into our private lives.