You are using an outdated browser. Please upgrade your browser to improve your experience.
CIA exploits

Updated: Apple Runs into Roadblocks to Resolve CIA Exploits

Security
March 9, 2017

Apple would like to eliminate CIA exploits WikiLeaks says leave devices vulnerable to hackers. Unfortunately, roadblocks could make this a long process, according to The Wall Street Journal.

Updated:

WikiLeaks will give tech companies access to CIA hacking tools, according to Julian Assange.

As originally published:

Earlier this week, WikiLeaks released 8,761 documents it claims shows that the Central Intelligence Agency (CIA) has developed and obtained exploits that allow the spy agency to break into iOS devices. These “zero-day” exploits are noted for being unknown to Apple or security researchers. More worrisome, the CIA has lost many of these exploits, meaning they could soon be out and about in the wild.

For companies such as Apple, Alphabet Inc.’s Google, Samsung Electronics Co. and Microsoft Corp., the risks are substantial. The CIA’s tools apparently can be used to gain unauthorized access to computers and smartphones. And because of the high-profile nature of the leak, the tools are likely to be widely used once they are disclosed.

To eliminate these exploits and protect its customers, Apple and other tech companies need to see the code. Unfortunately, this code is not forthcoming.

Companies now find themselves in a difficult position: They believe that at least two organizations have access to hacking code that exploits their products—the CIA and WikiLeaks—but neither one is sharing this software.

In a statement (via Kif Leswing), Apple has said that many of the exploits identified in the WikiLeaks data dump were already corrected. However, they admit that more work is necessary.

“Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system.

While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue to work rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.”

With the CIA and WikiLeaks being uncooperative, it looks like tech companies might attempt to get the code via the Vulnerability Equities Process. The VEP allows the U.S. government to share information on security flaws it discovers with U.S. companies.

Unfortunately, this process is “likely to involve a lengthy interagency review, said one person familiar with the situation.”

Even were Apple to resolve every CIA exploit pointed out in the WikiLeaks data dump, more problems could be coming. The organization claims it has only disclosed 1 percent of the CIA documents in its possession.

As Thomas Rid, a professor of security studies at King’s College London concludes, “If it is the case that they have so much more, that, I think, will have a lot of people quite nervous.”

You can read the WikiLeaks information on the CIA here.