Details concerning multiple iOS, Mac, and AirPort exploits allegedly used by the CIA were published by Wikileaks late last night.
The documents reveal an extensive quantity of exploits used against Apple devices, thought WikiLeaks has not published any of the technical details or computer code that was also leaked to prevent these hacks disseminating any further. (Though we don’t know who else got the data).
The documents offer the deepest look yet into how intelligence services (including the CIA, GCHQ, and others) have worked together to undermine the security of products from multiple vendors, including Apple.
Agencies argue that your broken security is the price to keep you safe, while most technologists agree that the existence of unpatched vulnerabilities that are used by one government means everyone becomes far less safe – if one government has them, so do the others.
That this data has leaked at all shows just how easy it is to spread these backdoor keys.
Harpy Eagle, Snowy Owl
The report suggests that spies are listening to you through your television, looking at what you look at through your camera, and rifling through your personal data. The exploits all have funky code-names, too, including:
- Harpy Eagle: an exploit that gains root access to AirPort Extreme and Time Capsule).
- Snowy Owl: an attempt to create a hidden channel to a remote Mac.
- Various (14) iOS exploits with names like Archon, Dyonedo, Earth/Eve, Elderpiggy, Ironic, Nandao, Juggernaut, Persistence, Redux, Rhine and many more. At least some of these came from international intelligence agency allies, including UK agency, GCHQ.
The documents suggest the CIA hoards ‘Zero Day’ exploits. These are typically dangerous exploits that can undermine security or break computer controlled infrastructure.
They also reveal many exploits for Android devices and another that lets the spooks listen to your conversation using the mic in some Samsung TVs.
Responding to the WikiLeaks claims, Apple said the latest versions of its software contain patches for most of the flaws, and promises it is working on those it was not hitherto aware of.
“Apple is deeply committed to safeguarding our customers' privacy and security. The technology built into today's iPhone represents the best data security available to consumers, and we're constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.”
This is a very good reason to insist on the strongest possible security for every citizen, as back door exploits serve to make us weaker, and not stronger.
Think about it – so long as exploits like these exist and are not known about then any government, hacker, or computer criminal can find and use them.
Once they are found, many government users share this information (as GCHQ did with the CIA).
Anyone with a guilty conscience knows a secret shared is a secret told – we know the exploits will leak over time.
Governments everywhere spend time trying to find each other’s secrets, meaning any such vulnerabilities can also be stolen and used by malicious actors.
In a matter of time, these leaks mean every government or criminal is equipped with powerful tools that undermine your security, even while vendors aren’t made aware of the problem.
(We know WikiLeaks has been leaked this data because it told us, we do not know who else has this data and has not told us).
It’s not just your privacy and your bank account details. Stuxnet showed that tools of this nature pose a serious threat to connected infrastructure
For Apple users, the company’s statement that it has already patched “many” of the leaks is a little chilling, as it suggests the company has not been made previously aware of them all.
The irony of this sequence of events is that while these tools are ostensibly developed for your protection, as they (inevitably) proliferate beyond responsible agencies they make you far less safe.
Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic's Kool Aid Corner community and join the conversation as we pursue the spirit of the New Model Apple?
Got a story?
Drop me a line via Twitter. I'd like it if you chose to follow me there so I can let you know when fresh items are published here first on Computerworld.