After CIA leaks, tech giants scramble to patch security flaws

Apple, Microsoft, and Google are analyzing leaked CIA documents to see if their products are affected, but security researchers say that most of the flaws have long been fixed.

(Image: file photo)

Several tech giants have said they are examining a trove of documents leaked earlier this week that purport to show the CIA's ability to hack into phones, computers, and smart TVs.

The documents, released by WikiLeaks, did not contain exploit code that could be used by hackers to carry out attacks, but the documents do provide details of vulnerabilities that may help security researchers identify some flaws in tech products, including Android devices and iPhones.

Apple, Google, Microsoft, and Samsung were all named in the thousands of released documents, which are believed to have come from the CIA's Center for Cyber Intelligence.

national security

Leaked secret CIA files detail tools for hacking iPhones, Android, smart TVs

Classified files point to a covert effort by the CIA to develop exploits for vulnerabilities in popular phones for surveillance.

Read More

The CIA has so far not commented directly on the authenticity of the leak, but on Wednesday it suggested that the release had damaged national security by helping its adversaries "with tools and information to do us harm."

WikiLeaks founder Julian Assange said in a Thursday press conference that he will give the tech companies "exclusive access" to some of the technical details it has of the CIA's hacking tools, as part of an effort to expedite the security patching process.

But so far there has been no such evidence of sharing files with tech companies, however.

Apple said in a statement that it will "rapidly address any identified vulnerabilities" it finds in its Macs or iPhone software.

Google, too, said it will "implement any further necessary protections" and that its analysis is ongoing.

Microsoft said it was "looking into" the reports, but didn't comment further.

But security experts say that many of the vulnerabilities have already been patched.

Jon Sawyer, an Android security researcher, said that most of the Android bugs listed have been already patched.

"The list seems to be limited to Android 2.2 to 4.4.4 -- we are on Android 7.1.1 now," said Sawyer. He said that many of the bugs related to legacy versions of Android and older devices.

"Vague descriptions of bugs is no more worrisome than the fact they know any software has unknown vulnerabilities," he said, adding that Google was "in no worse position than they were a week ago."

An analysis by F-Secure showed that the majority of Android users are still using Android 4.4. Google's own statistics shows that the software version is third behind Android 5 and Android 6.

Will Strafach, an iOS security researcher, said that "essentially, there is nothing" in the documents that point to working vulnerabilities of iOS 10 and later.

Almost 80 percent of users are currently on a version of iOS 10, says Apple.

Strafach said the Samsung smart TV vulnerability, which required an older firmware version and physical access to the device, had also been fixed.

In a brief statement, a Samsung spokesperson said the company was "urgently looking into the matter."

Linux, the open-source operating system, was also listed in the cache of documents.

"Linux is a very widely used operating system, with a huge installed base all around the world, so it is not surprising that state agencies from many countries would target Linux along with the many closed source platforms that they have sought to compromise," said Nicko van Someren, chief technology officer at The Linux Foundation, speaking to BBC News.

US government pushed tech firms to hand over source code

If source code gets into the wrong hands, the damage would be incalculable.

Read More

He emphasized that the rapid release of security patches "enable the open source community to fix vulnerabilities and release those fixes to users faster."

But the status of other products isn't fully known.

In the cache, close to two-dozen antivirus products, including Kaspersky, Symantec, and Avast, were listed as having vulnerabilities that were exploitable by the CIA.

According to the Associated Press, the CIA used unflattering terms to deride antivirus makers, many of which the agency exploited through vulnerabilities in their software.

In one case, a flaw in Kaspersky antivirus allowed the CIA to "bypass Kaspersky's protections," but founder Eugene Kaspersky told an AP reporter that the vulnerability was fixed "years ago."

Avira, another antivirus maker, said it fixed a "minor vulnerability" within hours of the documents' release.

Cindy Cohn, director of the Electronic Frontier Foundation, said the CIA had "failed to accurately assess the risk of not disclosing vulnerabilities."

"Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans," she said.

WikiLeaks said so far it has released only a fraction of what it says it obtained, and that more files will be released in the coming days and weeks.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All