On Tuesday, WikiLeaks released thousands of CIA documents detailing the agency’s alleged abilities to hack into smartphones, computers, and smart TVs–but Apple said that many of the security flaws that could allow such access were already patched in the latest iOS update.
“The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way,” Apple said in a statement released to news outlets Tuesday evening. “Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system.”
After an “initial analysis” of the leaks, Apple stated that many of the problems had already been patched in that latest iOS update, and that it will “continue work to rapidly address any identified vulnerabilities.”
“We always urge customers to download the latest iOS to make sure they have the most recent security updates,” Apple said, in closing.
WikiLeaks claims that the new leak, code-named “Vault 7,” is the largest ever publication of confidential CIA documents, with 8,761 files released from the CIA’s Center for Cyber Intelligence in Virginia. While the information has yet to be confirmed as true, the Associated Press noted that the site does have a record for releasing top secret government documents.
Wikileaks also said that this is only the first full part in a series of leaks called “Year Zero.”
“‘Year Zero’ introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of ‘zero day’ weaponized exploits against a wide range of US and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones,” according to a WikiLeaks press release.
The documents claim that the CIA uses malware and hacking tools built by Engineering Development Group (EDG), a software development group within the Center for Cyber Intelligence. “The EDG is responsible for the development, testing and operational support of all backdoors, exploits, malicious payloads, trojans, viruses and any other kind of malware used by the CIA in its covert operations world-wide,” according to the press release.
The leaks also state that Samsung’s F8000 series of smart TVs was compromised via a hack that places the TV in a “fake off” mode, which leads the owner to believe that the TV is off, when it is actually on and recording conversations, sending them over the internet to a CIA server.
“Protecting consumers’ privacy and the security of our devices is a top priority at Samsung,” Samsung said in a statement after the leaks. “We are aware of the report in question and are urgently looking into the matter.”
The leaks also claim that the CIA’s Mobile Devices Branch developed a number of ways to remotely hack and control iPhones, iPads, and Android phones. “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied,” the press release stated.
Further, WikiLeaks said that the CIA has developed automated, multi-platform malware attack and control systems for Windows, Mac OS X, Solaris, Linux, and others.
“We are aware of the report and are looking into it,” a Microsoft spokesperson told the BBC. Google and the Linux Foundation have yet to publicly comment, the BBC noted.
As noted by the New York Times, there is no evidence that the CIA tools have been used against Americans.
If the leaked documents are verified, it could have major security implications for Apple, Samsung, Microsoft, and all other tech companies. However, it’s not exactly a surprise that these devices are able to be hacked, said Engin Kirda, professor of computer science at Northeastern University.
“In the computer security world, it is widely known that unknown vulnerabilities in products do exist and that there is potential for these vulnerabilities to be exploited to compromise systems,” Kirda said. “We know that many nation states are engaged in such zero day exploitation based in previous stories and examples. Hence, for a security professional, it is not surprising that the CIA would be able to exploit unknown vulnerabilities in phones or modern internet-connected TVs. In fact, previous work had shown that exploitation and infection of Samsung TVs was possible.”
The bigger issue, if the documents are confirmed, is the fact that the CIA itself was hacked, experts say. “The story here isn’t that the CIA hacks people…The CIA’s job, after all, is collect intelligence, and while its primary purview is human intelligence, hacking systems interacts synergistically with that collection,” wrote Nicholas Weaver, a senior staff researcher focusing on computer security at the International Computer Science Institute, in a blog post. “The actual headline here is that someone apparently managed to compromise a Top Secret CIA development environment, exfiltrate a whole host of material, and is now releasing it to the world.”
The 3 big takeaways for TechRepublic readers
1. On Tuesday, after WikiLeaks released thousands of alleged CIA documents detailing tools for hacking smartphones, computers, and smart TVs, Apple released a statement that said it had already fixed many of the security vulnerabilities that would allow the agency to hack into its devices in the latest iOS update.
2. Samsung and Microsoft also said that they were aware of the documents, and were investigating.
3. Security experts say that while the CIA’s alleged ability to covertly access user’s devices is concerning, the bigger issue is that the CIA itself was potentially hacked and this information was released to the world.