The Atlanta Journal-Constitution
WikiLeaks says it may help tech companies fix security flaws in their products,
Group muses about whether to shield tech companies.
WASHINGTON — The anti-secrecy group WikiLeaks raised the prospect Wednesday of sharing sensitive details it uncovered about CIA hacking tools with leading technology companies whose flagship products and services have been targets of the government’s spying.
If that sharing takes place, it would give companies like Apple, Google, Microsoft, Samsung and others an opportunity to identify and repair any flaws in their software and devices that have been exploited by U.S. spy agencies and some foreign allies, as described in nearly 9,000 pages of secret CIA files WikiLeaks published on Tuesday.
The documents, which the White House declined Wednesday to confirm as authentic, describe clandestine methods for bypassing or defeating encryption, antivirus tools and other protective security features for computers, mobile phones and even smart TVs. They include the world’s most popular technology platforms, including Apple’s iPhones and iPads, Google’s Android phones and the Microsoft Windows operating system for desktop computers and laptops.
“This is the kind of disclosure that undermines our security, our country and our well-being,” White House spokesman Sean Spicer said. “This alleged leak should concern every single American.”
Spicer defended then-candidate Donald Trump’s comment in October 2016 that “I love WikiLeaks!” after it published during the presidential campaign private, politically damaging emails stolen from the account of Hillary Clinton’s campaign manager. Spicer said there was a “massive, massive difference” between WikiLeaks publishing stolen emails of a political figure and files about national security tools used by the CIA.
The CIA has declined to confirm that the documents are authentic. But on Wednesday, the agency said Americans should be “deeply troubled” by the disclosures.
WikiLeaks has not released the actual hacking tools themselves, some of which were developed by government hackers while others were purchased from outsiders. The group indicated it was still considering its options but said in a statement Wednesday: “Tech companies are saying they need more details of CIA attack techniques to fix them faster. Should WikiLeaks work directly with them?”
It wasn’t clear whether WikiLeaks — a strident critic of Google and Facebook, among others — was serious about such action. A message seeking additional details from WikiLeaks was not immediately returned, and an attempt to speak to founder Julian Assange on Tuesday was rebuffed.
Security experts said WikiLeaks is obligated to work privately with technology companies to disclose previously unknown software flaws, known as zero-day vulnerabilities because consumers would have no time to discover how to defend themselves against their use, and with companies that design protection software. WikiLeaks has said the latest files apparently have been circulating among former U.S. government hackers and contractors.
“The clear move is to notify vendors,” said Chris Wysopal, co-founder and chief technology officer of Veracode Inc. “If WikiLeaks has this data then it’s likely others have this data, too. The binaries and source code that contain zero days should be shared with people who build detection and signatures for a living.”
The political fallout and damage to U.S. intelligence operations was still being assessed Wednesday. A former head of the CIA and National Security Agency, Michael Hayden, sought to assure people the U.S. would use such cyber weapons only against foreign targets.
“I can tell you that these tools would not be used against an American,” Hayden said Tuesday night on “The Late Show with Stephen Colbert.” “But there are people out there that you want us to spy on. You want us to have the ability to actually turn on that listening device inside the TV, to learn that person’s intentions.”
One clear risk is that WikiLeaks revealed enough details to give foreign governments better opportunities to trace any of the sophisticated hacking tools they might discover back to the CIA, damaging the ability to disguise a U.S. government hacker’s involvement.
“That’s a huge problem,” said Adriel T. Desautels, the chief executive at Netragard LLC, which formerly sold zero-day exploits to governments and companies. “Our capabilities are now diminished.”
Some vendors were already sifting through the disclosures to fix flaws in their software. The first confirmed patch came from Avira Operations GmbH & Co., a German antivirus vendor, which said it fixed what it described as “a minor vulnerability” within a few hours of the WikiLeaks release.
Apple said many of its security vulnerabilities disclosed by WikiLeaks already had been fixed.