[Updated] WikiLeaks Not Ready to Share Code with Tech Companies – Google Says “Many” Leaked Android Flaws Are Outdated
Google has finally come out of the closet and is saying what Apple did about the latest CIA leaks - many of the flaws leaked are outdated and already patched. As the companies continue to review the documents, it is becoming clear that most of the reported vulnerabilities are outdated. However, none of the tech firms mentioned in the documents have yet said if "all" of the CIA exploits are patched.
Analysts believe that this could be because the tech firms lack access to the hacking code. Only the CIA and WikiLeaks can share further details with the tech industry to help it confirm if everything is fully patched or not. And apparently, none of them is ready to do that.
Google: Chrome and Android users safe from "many of these alleged vulnerabilities"
On Tuesday, WikiLeaks released over 8,700 documents labeled "confidential" and "secret," revealing the intelligence agency's covert hacking and spying capabilities. Among these documents were also the details of several exploits that the CIA uses to target Android, iOS, and other platforms.
Following Apple, Microsoft and Samsung's statements, Google is also saying that Android users should be protected from most of these alleged hacking tools referenced in the WikiLeaks release.
"As we've reviewed the documents, we're confident that security updates and protections in both Chrome and Android already shield users from many of these alleged vulnerabilities."
Yesterday, Apple had said that its users are protected from "many" of these exploits revealed in the leaked documents, saying nothing about when exactly the rest of the flaws will be patched.
"Our analysis is ongoing and we will implement any further necessary protections," Google added. "We've always made security a top priority and we continue to invest in our defenses."
Considering the fact that the thousands of documents dumped by WikiLeaks will require tech companies some time to fully investigate, both the leading American tech companies stopped short of giving any timeline of expected patches or even providing details of how severe the remaining exploits could be.
Several independent security researchers have said that the threat to the latest Android versions appears to be minimal. However, unlike iPhones, Android users are mostly slower at getting latest security patches, possibly putting millions of them at risk to these exploits. WikiLeaks' alleged CIA documents claim that the agency's stockpile of exploits is used for a number of activities, including monitoring communications and tracking users.
WikiLeaks isn't helping tech companies either
As is customary for WikiLeaks, the organization focuses on releasing documents or the details of security vulnerabilities without first informing the relevant tech companies - which is a standard procedure followed in the security industry. However, WikiLeaks isn't working to provide any help to the companies impacted by these CIA documents, further putting users at risk.
A report by the WSJ published last night added that only the CIA and WikiLeaks have access to the exploit code, but neither of them is sharing this software with the tech companies who are responsible for patching these exploits.
"Companies now find themselves in a difficult position: They believe that at least two organizations have access to hacking code that exploits their products - the CIA and WikiLeaks - but neither one is sharing this software…"
With the lack of support from the CIA and WikiLeaks, it may take longer for Google, Apple and other involved tech companies to pick up the pieces and offer fixes to end users. WikiLeaks ran a poll asking its followers if it should work directly with the technology companies.
Tech companies are saying they need more details of CIA attack techniques to fix them faster. Should WikiLeaks work directly with them?
— WikiLeaks (@wikileaks) March 8, 2017
At the time of writing, 57% of 37,195 respondents had voted yes. It is unclear whether the organization has decided to share any code details with the relevant companies.
[Update]: WikiLeaks has decided to work with the tech industry
"We have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out," Julian Assange said in an online press conference this morning. "Once tech firms had patched their products, he said, he would release the full data of the hacking tools to the public," AP reported.
The CIA obviously doesn't like its exploits being known - or patched. Following Assange's statement, the agency's spokesperson Heather Fritz Horniak said that despite these leaks, the CIA continues to "aggressively" spy and hack its adversaries.
"As we've said previously, Julian Assange is not exactly a bastion of truth and integrity. Despite the efforts of Assange and his ilk, CIA continues to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries."
Both Apple and Google had previously said that most of the leaked flaws are outdated. However, WikiLeaks' decision will hopefully help tech firms quickly patch any flaws that could have remained unresolved. Following the release of documents on Tuesday, the security industry has said WikiLeaks was obligated to work with technology companies to help them fix previously unknown software flaws.
In his press conference, Assange also added that the leaked surveillance and hacking technology is designed to be untraceable. While CIA in its earlier statement had claimed that the agency doesn't and can't spy on American citizens, it would be hard to know with its contractors using untraceable tools.
"There's absolutely nothing to stop a random CIA officer" or a contractor from using the technology, Assange said. "The technology is designed to be unaccountable, untraceable; it's designed to remove traces of its activity."