Wikileaks' CIA hacking dump sends tech firms scrambling for fixes (updated)
08/03/2017 18:33
(Tweaks first paragraph, adds Google declining to comment;
changes slug to conform to previous stories)
By Eric Auchard
FRANKFURT, March 8 (Reuters) - Tech companies must rapidly
step up information-sharing to protect users from prying eyes, a
security software executive said on Wednesday after WikiLeaks
released a trove of data purporting to show that the CIA can
hack all manner of devices.
Dozens of firms rushed to contain the damage from possible
security weak points following the anti-secrecy organisation's
revelations, although some said they needed far more information
on what the U.S. intelligence agency was up to before they could
thwart suspected but previously hidden attacks.
Sinan Eren, vice president of Czech anti-virus software
maker Avast, called on mobile software makers Apple AAPL.O and
Google GOOGL.O to supply security firms with privileged access
to their devices to offer immediate fixes to known bugs.
"We can prevent attacks in real time if we are given the
hooks into the mobile operating system," Eren said in a phone
interview from Silicon Valley, where he is located.
"If we can drive a paradigm shift where mobile platforms
don't shut off access, we'll be better able to detect when
hackers are hiding in a mobile (phone)", he said.
Avast, which counts more than 400 million users of its
anti-virus software worldwide, was named in the WikiLeaks
documents as one of the security vendors targeted by the CIA in
a leaked page labelled "secret" but lacking further details.
The leaks - which WikiLeaks described as the biggest in the
Central Intelligence Agency's history - had enough technical
details for security experts and product vendors to recognise
that widespread compromises exist. However, they provided few
specifics needed to offer quick fixes.
Reuters could not immediately verify the validity of the
published documents, but several contractors and private cyber
security experts said the materials appeared to be legitimate.
(http://reut.rs/2mEIxjU)
The 8,761 leaked documents list a wealth of security attacks
on Apple and Google Android smartphones carried by billions of
consumers, as well as top computer operating systems - Windows,
Linux and Apple Mac - and six of the world's main web browsers.
Apple said in a statement that nearly 80 percent of iPhone
users run its current iOS software with the latest security
patches. "Many of the issues leaked today were already patched
in the latest iOS; we will continue work to rapidly address any
identified vulnerabilities," Apple said on Tuesday. The
statement made no reference to attacks on its computer software.
Google declined to comment, while a Microsoft spokeswoman
said: "We're aware of the report and are looking into it."
Widely-used routers from Silicon Valley-based Cisco CSCO.O
were listed as targets, as were those supplied by Chinese
vendors Huawei HWT.UL and ZTE 000063.SZ and Taiwanese
supplier Zyxel for their devices used in China and Pakistan.
Cisco security team members said in a blog post that because
WikiLeaks has not released any of the actual hacking exploits,
"the scope of action that can be taken by Cisco is limited".
Omar Santos, a principal engineer in Cisco's security
response unit, said malware appears to be targeting whole
families of Cisco devices but is designed to remain hidden so as
to steal data unnoticed. He said Cisco assumes WikiLeaks will
eventually disclose the hacks, allowing it to fix them.
Huawei declined to comment. ZTE and Zyxel were not
immediately available to respond.
STAY OF EXECUTION
Messaging apps protected by full software encryption also
appear to be vulnerable to hacking of the smartphones
themselves, communications app provider Telegram said in a blog
post. But one positive outcome may be that device and software
makers will be able to close up these holes, it said.
"This is not an app issue. It is relevant on the level of
devices and operating systems like iOS and Android," Telegram
stated, adding: "The good news is that for the moment all of
this is irrelevant for the majority of Telegram users. If the
CIA is not on your back, you shouldn't start worrying just yet."
The WikiLeaks collection contains a mix of copious data and
empty files marked "secret" that promised more details to come
on attacks against more than 15 security software firms.
U.S. cyber security expert Robert Graham said WikiLeaks
provided enough detail to recognise some known vulnerabilities.
"One anti-virus researcher has told me that a virus they
once suspected came from the Russians or Chinese can now be
attributed to the CIA, as it matches the description perfectly
to something in the leak," Graham said in a blog post.
Some security experts said the CIA's possible use of tools
from other spy agencies raised the risk of false attribution for
targeted cyber attacks by the U.S. intelligence agency.
He said CIA cyber spying efforts could be set back years.
The CIA and White House declined comment. "We do not comment
on the authenticity or content of purported intelligence
documents," CIA spokesman Jonathan Liu said in a statement.
WikiLeaks said it aims to provoke a political and legal
debate about the CIA's cyber arsenal. However, it was holding
back, for now, much of the technical documentation that would
allow other hackers and cyber criminals to exploit the hacks -
while putting vendors on notice to expect further revelations.
The organisation said in a statement it is "avoiding the
distribution of 'armed' cyber weapons until a consensus emerges
on the technical and political nature of the CIA's program and
how such 'weapons' should be analysed, disarmed and published".
It described sophisticated tools for targeting the devices
of individual users, in contrast to the revelations by former
National Security Agency contractor Edward Snowden of mass data
collection on millions of web and phone users worldwide.
(Editing by David Stamp/Mark Heinrich)
((eric.auchard@thomsonreuters.com; +49 69 7565 1235; Reuters
Messaging: eric.auchard.thomsonreuters.com@reuters.net))
Keywords: CIA WIKILEAKS/PRODUCTS