WikiLeaks' Vault7 CIA Dump Prompts Apple Reaction And More
Apple, Microsoft, and others in the tech industry have responded to Wikileaks' claims of CIA hacking abilities, pushing back on fears of federal agents turning smartphones and TVs into spies. The leak-focussed group, which has prompted controversy in recent months for the role it played in the US presidential election, released a cache of data earlier this week that it claimed proved the US Central Intelligence Agency could routinely eavesdrop through many of the connected devices people have in their homes or pockets. Dubbed "Vault7", the nearly 9,000-strong document drop has prompted chaos among many, uncertain whether their devices are in fact working against them.
According to Vault7, Apple's iOS had a suggested fourteen vulnerabilities by which government agencies could tap in. In a statement, Apple said that it was "deeply committed to safeguarding our customers' privacy and security" and that "the technology built into today's iPhone represents the best data security available to consumers, and we're constantly working to keep it that way." From the company's own analysis, it suggested, "many" of the possible loopholes in iOS had already been patched by more recent versions of the platform:
"Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates" Apple
Other companies have been less forthcoming. Microsoft's Windows was said to be targeted by CIA operatives looking to take advantage of zero-day exploits via viruses loaded from compromised USB sticks and CDs. "We are aware of the report and we are looking into it," the company said in a statement.
It's not just phones and computers, mind. Other concerns have been prompted by documents within the leak that describe how a Samsung Smart TV was turned into a listening device. Ostensibly turned off, the compromised set was supposedly able to act as a microphone, picking up the conversations of anybody around it.
"Protecting consumers' privacy and the security of our devices is a top priority at Samsung," the TV maker said in a statement. "We are aware of the report in question and are urgently looking into the matter."
Nonetheless, while the tone of the leak has been fairly frantic, not least with Wikileaks itself making bold claims about just what reach the CIA has into systems believed to be encrypted, experts have cautioned that the reality may not be so dramatic. Suggestions that so-called secure messaging services like Signal and WhatsApp can in fact be tapped made early headlines. However, the developers behind the actual encryption used, Whisper Systems, was quick to counter any claim that its technology was compromised:
The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.
— Open Whisper Systems (@whispersystems) March 7, 2017
Instead – and has been highlighted by many experts – the monitoring of such apps would rely on the phone itself being infected. That's not a new process, and nor is it new information that, if the core OS is compromised, what's being carried out within apps on that device could be compromised too. While Samsung may not have pointed it out, researchers have made clear that the documents don't prove the CIA could remotely hack a TV.
Indeed, as Errata Security's Robert Graham highlights, the microphone exploit described required physical access to the TV first. "The docs are clear that they can update the software running on the TV using a USB drive. There's no evidence of them doing so remotely over the Internet," he writes. "If you aren't afraid of the CIA breaking in an installing a listening device, then you should't be afraid of the CIA installing listening software."
It's likely that other companies will weigh in with comments as the thousands of documents in Vault7 are better digested. Google, for instance, is yet to say anything about speculation over Android security. Nonetheless, it seems at this stage that the best advice you could follow is to update your devices – whether phone, TV, or something else – to the latest official firmware, and make sure to lock your door, just in case the CIA speculatively tries the handle.