Following WikiLeaks’ publication earlier this week of classified documents stolen from the CIA, major technology companies, including Apple, Samsung, Microsoft and Cisco, have been scrambling to assess the risks posed to their customers by the revelations.
The so-called “Vault 7” leak includes information about methods and tools the CIA crafted to hack into products produced by those companies.
Apple’s initial analysis reportedly showed that many of the issues identifed in iOS already were patched in the latest version of the software.
In addition methods of hacking iPhones, the WikiLeaks documents pointed to ways the CIA might exploit Windows PCs, Android phones and Samsung smart TVs.
Google reportedly expressed confidence that existing security protections in Chrome and Android shield their users from many of the vulnerabilities identified in the WikiLeaks dump.
Both Samsung and Microsoft reportedly said they were investigating the impact of the leaks.
Routers and Linux Targeted
Other targets of CIA hacking included Cisco and the Linux operating system, according to the Vault 7 documents.
There is little actionable information in the WikiLeaks documents, noted Dario Ciccarone, a security researcher at Cisco.
“At the time of the initial release, WikiLeaks has not released any of the tools or exploits associated with the disclosure,” he pointed out.
“Since none of the tools and malware referenced in the initial Vault 7 disclosure have been made available by WikiLeaks, the scope of action that can be taken by Cisco is limited. An ongoing investigation and focused analysis of the areas of code that are alluded to in the disclosure is underway,” Ciccarone said.
“Until more information is available, there is little Cisco can do at this time from a vulnerability handling perspective,” he added.
Linux’s popularity makes it a likely target for intelligence agencies, according to Nicko van Someren, chief technology officer for The Linux Foundation.
“Linux is a very widely used operating system with a huge installed base all around the world, so it is not surprising that state agencies from many countries would target Linux, along with the many closed source platforms that they have sought to compromise,” he told TechNewsWorld.
However, the rapid development cycle of the operating system — a kernel update is released every few days — enables Linux development teams to quickly address security problems, van Someren explained.
“Rapid release cycles enable the open source community to fix vulnerabilities and release those fixes to users faster,” he said.
Assange Offers Sneak Peek
WikiLeaks founder Julian Assange took to Facebook Live Thursday, offering to give tech companies making products targeted by CIA hacking tools exclusive access to any tools in WikiLeaks’ possession, so the businesses could plug any security holes.
Assange’s offer poses a dilemma for the companies. While they want to make their products more secure, hooking up with WikiLeaks would mean collaborating with an organization that may have broken U.S. laws by accepting stolen data. At the least, it has undermined the nation’s security by releasing classified information to the public.
Still, “they should accept Assange’s offer,” argued Israel Barak, chief information security officer at Cybereason.
“These companies have to make their software as secure as possible,” he told TechNewsWorld. “When you have an opportunity to do that, you’ve got to do it.”
However, Assange’s offer may be too little, too late.
“My guess is that some of this code is already in the hands of bad actors,” said Tony Busseri, CEO of Route1.
“That’s a point of concern for consumers, government and enterprises,” he told TechNewsWorld.
Consumer Impact
Consumers shouldn’t be too concerned about the Vault 7 leaks affecting their privacy and security, observed Craig Young, a computer security researcher at Tripwire.
“Consumers should, however, be cognizant that the conveniences afforded by connected technologies also inherently introduce privacy and security risks,” he told TechNewsWorld.
“As data is made available to smart devices like TVs, phones and voice-activated speakers, consumers are in fact extending a large degree of trust to the vendors making these products. There is trust not only that vendors are making these devices securely, but also that the vendors will continue to support them,” Young pointed out.
“Even with all of these things in mind,” he added, “there is always some risk — so it is advisable not to share sensitive data with these smart devices.”
Most consumers wouldn’t be affected by the tools WikiLeaks claims to have in its possession if the CIA had exclusive control of them, but that’s not the case now.
“The CIA is not going to try to hack your TV for no reason,” Route1’s Busseri said.
“The danger with WikiLeaks is if it starts exposing how these vulnerabilities and toolkits work, then criminal organizations will try to profit from them at the consumer’s expense,” he explained.
“These leaks are giving consumers a glimpse into how their devices can be used to spy on them,” said Cybereason’s Barak.
The leaks illustrate how vulnerable all digital devices are.
“The technology to hack into these systems is advancing just as rapidly as the security to protect them,” said Jim McGregor, principal analyst at Tirias Research.
“Nothing will ever be 100 percent secure,” he told TechNewsWorld, “just as no doctor will ever say with 100 percent accuracy what’s wrong with you.”