Julian Assange’s website WikiLeaks is in possession of what appears to be CIA hacking tools that can target popular computers like Apple’s iPhones and Macs as well as products from other big tech companies like Microsoft and Google.
Assange has said that WikiLeaks will share details of the vulnerabilities with Apple and other big tech companies, so they can fix the vulnerabilities that the CIA uses for its hacking tools.
WE HAVE DECIDED TO WORK WITH THEM TO GIVE THEM SOME EXCLUSIVE TOTHE ADDITIONAL TECHNICAL
“We have decided to work with them to give them some exclusive access to the additional technical details that we have so that fixes can be developed and pushed out,” Assange said in a press conference earlier this month.
But Apple didn’t sound very grateful to Assange for his “exclusive” offer. In fact, Apple’s public response to WikiLeaks was downright frosty. “We have not negotiated with Wikileaks for any information,” said Apple in a statement provided to Business Insider on Thursday.
The statement said that WikiLeaks was just like anyone else, despite its stolen CIA files: It could submit bugs through a standard process, and that while they may have been briefly in touch, Apple hasn’t seen anything that hasn’t been tweeted or posted to the WikiLeaks website.
WE HAVE GIVEN THEM INSTRUCTION TO SUBMIT ANY INFORMATION THEY WISH THROUGH …
“We have given them instructions to submit any information they wish through our normal process under our standard terms,” according to the statement. “Thus far, we have not received any information from them that isn’t in the public domain.”
Then, to top it off, Apple says that WikiLeaks, with its public threat to release ways to attack Apple and other tech companies’ products after 90 days if bugs are not “fixed,” is actively working to harm iPhone users:
“We are tireless defenders of our users’ security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users.”
There’s no other way to read this as anything but an unconditional slam on Julian Assange, and essentially, a promise that Apple will not work with him or WikiLeaks.
Apple is not happy with WikiLeaks at all.
Why this matters
What hackers like those that work for the CIA need to really control someone’s phone or computer is what’s called a “zero-day” vulnerability.
Zero-days are basically secret bugs that can be used by professionals to break software and gain access to a system. But one problem for the CIA and other hackers is that zero-days expire: as soon as they’re known, the tech companies fix the bug, making the exploit useless.
Apple, in particular, kills vulnerabilities all the time, and said all the bugs mentioned in the WikiLeaks files so far have already been patched. (Google and Microsoft are also equally good at squashing zero-days — maybe even better than Apple.)
The documents that WikiLeaks is publishing are not code or instructions to recreate an exploit, but strongly suggest that the CIA had an arsenal of zero-days at some point — and if any organization can be expected to have a library of zero-day vulnerabilities, it’s the CIA.
This doesn’t just affect Apple: So far, WikiLeaks has dumped two batches of documents from the CIA. The one released earlier this week included details on old Mac and iPhone exploits. The first batch mentioned alleged vulnerabilities in Microsoft Windows and Google Android as well — all patched so far, according to the companies. But WikiLeaks says they have more files they haven’t shown the public yet.
Microsoft said in a statement to Business Insider that all the vulnerabilities mentioned in the first WikiLeaks batch have been fixed: “Our investigation confirmed that the information released on March 7 is dated, and the disclosed issues are already addressed in modern systems.”
Google said that security updates “already shield users from many of these alleged vulnerabilities.” Google, Microsoft, and Apple have encouraged their users to update their software.
Drip drip drip
The way WikiLeaks is dripping its leaks out in batches leaves companies like Apple, Google, and Microsoft in a tricky position.
These companies can’t really confirm without the code whether the zero-days are legitimate or not. (All they really have is descriptions of the exploits.) But it also can’t wholly dismiss the leaks — or even future leaks — in case some do end up being live exploits.
For example, since the vulnerabilities are described in top secret confidential files, it could be legally dangerous for a company like Apple or Microsoft to talk to Assange and WikiLeaks to see purported tools and files that haven’t been made public yet, the Financial Times reported.
So companies need to be careful about how they’re talking to Assange. “WikiLeaks made initial contact via [email protected] and we have followed up, treating them as we would any other finder,” a Microsoft spokeperson told Business Insider.
Essentially, tech companies can’t treat WikiLeaks differently than any other bug finder.
Read the rest of the article here