Will WikiLeaks work with tech firms to defeat CIA hacking?
WASHINGTON (AP) — The anti-secrecy group WikiLeaks raised the prospect Wednesday of sharing sensitive details it uncovered about CIA hacking tools with leading technology companies whose flagship products and services were targeted by the government’s hacker-spies.
If that sharing should take place, the unusual cooperation would give companies like Apple, Google, Microsoft, Samsung and others an opportunity to identify and repair any flaws in their software and devices that were being exploited by U.S. spy agencies and some foreign allies, as described in nearly 9,000 pages of secret CIA files WikiLeaks published on Tuesday.
The documents, which the White House declined anew Wednesday to confirm as authentic, describe clandestine methods for bypassing or defeating encryption, antivirus tools and other protective security features for computers, mobile phones and even smart TVs. They include the world’s most popular technology platforms, including Apple’s iPhones and iPads, Google’s Android phones and the Microsoft Windows operating system for desktop computers and laptops.
“This is the kind of disclosure that undermines our security, our country and our well-being,” White House spokesman Sean Spicer said. “This alleged leak should concern every single American.”
Spicer defended then-candidate Donald Trump’s comment in October 2016 — “I love WikiLeaks!” — after it published during the presidential campaign private, politically damaging emails from Hillary Clinton’s campaign manager. Spicer said there was a “massive, massive difference” between WikiLeaks publishing stolen, personal emails of a political figure and files about national security tools used by the CIA.
The CIA has declined to confirm that the documents are authentic. But on Wednesday, the agency said Americans should be “deeply troubled” by the disclosures.
WikiLeaks has not released the actual hacking tools themselves, some of which were developed by government hackers while others were purchased from outsiders. The group indicated it was still considering its options but said in a statement Wednesday: “Tech companies are saying they need more details of CIA attack techniques to fix them faster. Should WikiLeaks work directly with them?” It wasn’t clear whether WikiLeaks — a strident critic of Google and Facebook, among others — was serious about such action.
A message seeking additional details from WikiLeaks was not immediately returned, and an attempt to speak to founder Julian Assange at the Ecuadorean Embassy in London on Tuesday was rebuffed.
Security experts said WikiLeaks was obligated to work privately with technology companies to disclose previously unknown software flaws, known as zero-day vulnerabilities because consumers would have no time to discover how to defend themselves against their use, and with companies that design protection software. WikiLeaks has said the latest files apparently have been circulating among former U.S. government hackers and contractors.
“The clear move is to notify vendors,” said Chris Wysopal, co-founder and chief technology officer of Veracode Inc. “If WikiLeaks has this data then it’s likely others have this data, too. The binaries and source code that contain zero days should be shared with people who build detection and signatures for a living.”
The political fallout and damage to U.S. intelligence operations was still being assessed. The former head of the CIA and National Security Agency, Michael Hayden, sought to assure people the U.S. would use such cyber weapons only against foreign targets.
“I can tell you that these tools would not be used against an American,” Hayden said Tuesday night on “The Late Show with Stephen Colbert.”
“But there are people out there that you want us to spy on. You want us to have the ability to actually turn on that listening device inside the TV, to learn that person’s intentions.”
One clear risk is that WikiLeaks revealed enough details to give foreign governments better opportunities to trace any of the sophisticated hacking tools they might discover back to the CIA, damaging the ability to disguise a U.S. government hacker’s involvement. “That’s a huge problem,” said Adriel T. Desautels, the chief executive at Netragard LLC, which formerly sold zero-day exploits to governments and companies. “Our capabilities are now diminished.”
Some vendors were already sifting through the disclosures to fix flaws in their software. The first confirmed patch came from Avira Operations GmbH & Co., a German antivirus vendor, which told The Associated Press it fixed what it described as “a minor vulnerability” within a few hours of the WikiLeaks release.
Apple said many of its security vulnerabilities disclosed by WikiLeaks were already fixed. In a statement late Tuesday, it said its initial analysis showed that the latest version of the iOS system software for iPhones and iPads fixed many of those flaws. Apple said it will “continue work to rapidly address any identified vulnerabilities.”
Google hasn’t commented yet.
The WikiLeaks disclosures were an extraordinary coup for a group that has already rocked American diplomacy with the release of 250,000 State Department cables, embarrassed the U.S. military with hundreds of thousands of logs from Iraq and Afghanistan and upended the U.S. presidential election by publishing Democratic Party emails.
The new releases are all the more remarkable given that WikiLeaks’ founder Assange is midway through his fifth year at the Ecuadorean Embassy. He received political asylum after skipping bail to avoid extradition to Sweden, where he is wanted for an allegation of rape. Last year, a United Nations panel declared that the U.K. and Sweden were detaining him arbitrarily, but there’s no suggestion that Swedish or British authorities will budge on their desire to detain and extradite him.
Meanwhile, the upcoming second round of Ecuador’s presidential contest may mean Assange’s welcome at the embassy is wearing thin. The front-runner in the race, Guillermo Lasso, has said he would evict Assange, an action Assange says could eventually lead to his extradition to the United States.
Satter reported from Paris. Associated Press writers Ken Thomas and Deb Riechmann in Washington and Michael Liedtke in San Francisco contributed.