Apple to ‘rapidly address’ any security holes as companies respond to CIA leak
Alex Hern, Graun, Mar 8 2017
Apple has promised to “rapidly address” any security holes used by the CIA to hack iPhones, following the release of a huge tranche of documents covering the intelligence agency’s stockpile of software vulnerabilities. The leak, dubbed “Vault 7” by its publisher WikiLeaks, is made up of a collection of around 10,000 individual documents created between 2014 and 2016. A CIA spox would not comment “on the authenticity or content of purported intelligence documents.” Trump administration spokesman Sean Spicer also declined comment. Apple, one of numerous tech companies whose devices appear to have been targeted, released a statement late on Tuesday saying many of the vulnerabilities described by the documents were already fixed as of the latest version of its iOS mobile operating system, and aimed to reassure customers that it was working on patching the rest of the holes. It said:
While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.
Other companies mentioned in the leaks, including Microsoft and Samsung, gave briefer statements. Google has yet to comment on the leaks, which contain a sizeable amount of information on how to target its Android operating system. While Apple has tried to reassure customers that “many” of the vulnerabilities mentioned in the document have now been fixed, the leak itself represents just a snapshot in time of the CIA’s capabilities, which may have developed further since the documents were created. One page of the leak, which focuses on iOS exploits, shows the most recent version of iOS as 9.2. That version was released in Dec 2015, implying that the iOS-specific document was created between Dec 8 2015 that year and Jan 15 2016, when iOS 9.2.1 was made available. That page shows some exploits, such as one named “Nandao” and apparently discovered by Britain’s GCHQ, which were unknown outside the intelligence community at the time the document was created. Such an exploit is known as a “zero-day” vulnerability, for the number of days the manufacturer has had to fix the problem. It takes many separate vulnerabilities to craft a full malware kit that can be used to remotely take control of a smartphone. The WikiLeaks document lists six separate vulnerabilities required to remotely exploit an iPhone running iOS 9.2, with codenames like Saline, MiniMe and Juggernaut, and a manufacturer fixing any one of those holes can weaken an attacker’s capabilities. The requirement to keep such zero-day exploits secret from the manufacturer, lest they be fixed, also explains why they are unlikely to be used for anything other than targeted surveillance, security experts say. In Aug 2016 for instance, Apple issued a global iOS update after three zero-day attacks were found being used to try and break into the iPhone of an Arab human rights activist. The quantity of exploits referred to in the Vault 7 leak has also drawn fresh criticism of the CIA and other intelligence agencies’ practice of purchasing or otherwise discovering security flaws in popular hardware and software, and failing to disclose the flaws to the manufacturers. Edward Snowden tweeted:
Publicly, the Pindosi government has insisted that it doesn’t stockpile such exploits, instead reporting “the greatest numbers of vulnerabilities” it finds, rather than keeping them secret. But it has always maintained the right to keep particularly critical vulnerabilities secret if they have “a clear national security or law enforcement” use.