WikiLeaks dumped thousands of alleged CIA documents online yesterday that contained lists of vulnerabilities in popular tech products, sending companies scrambling to make sure their security patches were up-to-date. But as companies reviewed the documents, it became clear that most of the vulnerabilities they contained were outdated.
Apple first dismissed the majority of the listed iPhone vulnerabilities in a statement last night, and now Google and other firms are following suit.
“As we’ve reviewed the documents, we’re confident that security updates and protections in both Chrome and Android already shield users from many of these alleged vulnerabilities. Our analysis is ongoing and we will implement any further necessary protections. We’ve always made security a top priority and we continue to invest in our defenses,” Google’s director of information security and privacy Heather Adkins said in a statement.
Finding flaws in iPhones and Android devices was important to the CIA’s mission of surveilling targets because the security problems could allow the agency to eavesdrop on users’ communications.
It’s important to note that, although Google and Apple both say that most of the vulnerabilities are fixed, that doesn’t mean all of them are. Users concerned about the security of their devices need to make sure they’re updating to the latest software to get all of the security patches.
The WikiLeaks disclosure has reignited a debate over whether U.S. intelligence agencies should disclose software vulnerabilities to companies so they can be fixed, or hoard them so they can be used for spying.
Mozilla’s chief legal and business officer Denelle Dixon highlighted the importance of disclosure in conversation with The New York Times. “The C.I.A. seems to be stockpiling vulnerabilities, and WikiLeaks seems to be using that trove for shock value rather than coordinating disclosure to the affected companies to give them a chance to fix it and protect users,” Dixon said. “Although today’s disclosures are jarring, we hope this raises awareness of the severity of these issues and the urgency of collaborating on reforms.”
Many tech industry advocates believe that the government has a responsibility to protect American businesses and consumers by notifying companies of security flaws, rather than keeping them secret and exploiting them. The Obama administration pushed a vulnerabilities equity process to help government agencies determine when to disclose vulnerabilities to companies, but the WikiLeaks documents raise questions about whether the VEP is effective.
“The White House vulnerabilities equities process spells out what the government should be doing when it comes into possession of 0-days,” Alex Rice, chief technology officer of HackerOne, told TechCrunch. “It’s unclear if it’s been honored properly in this case. Were these vulnerabilities handled in the way outlined by the previous administration? And if not, what do we do about that? Was the process illegitimate to begin with? It’s restarting a conversation we thought we had a clear answer to.”
Rice, who worked on Facebook’s security team before helping launch the bug bounty platform HackerOne, said the vulnerabilities WikiLeaks reported in Samsung smart TVs had a personal impact on him: WikiLeaks claimed the CIA spied on targets through their TVs, and Rice has a Samsung TV facing his bed. “I’m not worried about the CIA eavesdropping on my television. If the CIA is going to conduct espionage on me, they have more than enough means to do so. What I am concerned about, if the U.S. government knows I have vulnerable tech in my bedroom, that has direct implications to my privacy. That’s something I should know about as a taxpayer,” Rice explained.
After all, if the CIA discovers a security vulnerability in a popular product, it’s only a matter of time before hackers or other nations’ spy agencies find it too. The CIA knew it had been breached late last year, according to a Reuters report, which calls into question why Apple, Google, Samsung and others weren’t alerted sooner.
“Eventually these vulnerabilities are not going to be secret any longer,” Rice said. “How are we going to minimize the damage when that happens? This leak is proof of that. We are all at a disadvantage if WikiLeaks has access to a 0-day in iPhone, Android, or Samsung TV.”
Comment