Categories: Tech

Apple to ‘rapidly address’ any security holes as companies respond to CIA leak

Apple has promised to “rapidly address” any security holes used by the CIA to hack iPhones, following the release of a huge tranche of documents covering the intelligence agency’s stockpile of software vulnerabilities, Joinfo.com reports with reference to The Guardian.

The leak, dubbed “Vault 7” by its publisher WikiLeaks, is made up of a collection of around 10,000 individual documents created between 2014 and 2016. A spokesman for the CIA said it would not comment “on the authenticity or content of purported intelligence documents” and the Trump administration spokesman Sean Spicer also declined comment.

Apple, one of numerous tech companies whose devices appear to have been targeted, released a statement late on Tuesday saying many of the vulnerabilities described by the documents were already fixed as of the latest version of its iOS mobile operating system, and aimed to reassure customers that it was working on patching the rest of the holes.

It said: “While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities,” it added. “We always urge customers to download the latest iOS to make sure they have the most recent security updates.”

Other companies mentioned in the leaks, including Microsoft and Samsung, gave briefer statements. “We are aware of the report and are looking into it,” Microsoft said. Samsung said: “Protecting consumers’ privacy and the security of our devices is a top priority at Samsung. We are aware of the report in question and are urgently looking into the matter.” Google has yet to comment on the leaks, which contain a sizeable amount of information on how to target its Android operating system.

While Apple has tried to reassure customers that “many” of the vulnerabilities mentioned in the document have now been fixed, the leak itself represents just a snapshot in time of the CIA’s capabilities, which may have developed further since the documents were created.

One page of the leak, which focuses on iOS exploits, shows the most recent version of iOS as 9.2. That version was released in December 2015, implying that the iOS-specific document was created between 8 December that year and 15 January 2016, when iOS 9.2.1 was made available.

That page shows some exploits, such as one named “Nandao” and apparently discovered by Britain’s GCHQ, which were unknown outside the intelligence community at the time the document was created. Such an exploit is known as a “zero-day” vulnerability, for the number of days the manufacturer has had to fix the problem.

 

It takes many separate vulnerabilities to craft a full malware kit that can be used to remotely take control of a smartphone. The WikiLeaks document lists six separate vulnerabilities required to remotely exploit an iPhone running iOS 9.2, with codenames like Saline, MiniMe and Juggernaut, and a manufacturer fixing any one of those holes can weaken an attacker’s capabilities.

The requirement to keep such zero-day exploits secret from the manufacturer, lest they be fixed, also explains why they are unlikely to be used for anything other than targeted surveillance, security experts say. In August 2016, for instance, Apple issued a global iOS update after three zero-day attacks were found being used to try and break into the iPhone of an Arab human rights activist.

The quantity of exploits referred to in the Vault 7 leak has also drawn fresh criticism of the CIA and other intelligence agencies’ practice of purchasing or otherwise discovering security flaws in popular hardware and software, and failing to disclose the flaws to the manufacturers.

“Here’s the big deal,” tweeted Edward Snowden, the source of a previous huge leak of NSA hacking capabilities: “First public evidence USG [US government] secretly paying to keep US software unsafe. The CIA reports show the USG developing vulnerabilities in US products, then intentionally keeping the holes open. Reckless beyond words.”

Publicly, the US government has insisted that it doesn’t stockpile such exploits, instead reporting “the greatest numbers of vulnerabilities” it finds, rather than keeping them secret. But it has always maintained the right to keep particularly critical vulnerabilities secret if they have “a clear national security or law enforcement” use.

Share
Published by
Nataly

Recent Posts

Lunar Leap: How Intuitive Machines Carved a Path for Commercial Space Exploration

The flight to the moon comes from a breakthrough in technology In a move that…

9 hours ago

Edward Snowden and Bitcoin: A Revolutionary Perspective on Digital Currency

The Unprecedented Advancement of Digital Currency Edward Snowden, the notorious whistleblower and staunch advocate for…

2 days ago

Beyoncé Breaks New Ground: First Black Woman to Claim No. 1 on Hot Country Songs Chart with ‘Texas Hold ‘Em’

In the ever-evolving tapestry of music, where genres blend like colors on a canvas, Beyoncé…

3 days ago

Trump’s record $355M penalty: Navigating the legal maze and its broader implications

The Verdict Heard Round the World In a seismic shift, Donald Trump, the erstwhile President…

4 days ago

Emma Stone’s BAFTA 2024 Triumph: A Milestone in “Poor Things” Journey

Another high point for Emma Stone The 2024 EE BAFTA Film Awards marked a significant…

4 days ago

United Front Against AI Disruption: Tech Giants Forge Accord to Safeguard Elections

In an era where artificial intelligence (AI) holds the power to both innovate and destabilize,…

5 days ago