WikiLeaks to Share CIA Hacking Data with Tech Companies

WikiLeaks will release the code showing how the CIA managed to break into phones, work around encrypted messaging apps and avoid detection by software designed to defend against cyberattacks.

by Marissa Lang, San Francisco Chronicle / March 10, 2017
Shutterstock

(TNS) -- WikiLeaks will turn over all the details it has on the CIA’s alleged hacking arsenal so that tech companies like Apple and Google can patch holes and fix vulnerabilities in their technology before the activist group makes the code publicly available online, the organization’s founder announced Thursday. 

Julian Assange took questions on the CIA leak in a lengthy online news conference broadcast on Twitter from Ecuador’s Embassy in London, where Assange has been since he was granted political asylum in 2012 to avoid extradition to Sweden on rape accusations, which he has denied.

Assange said the organization would work with tech companies whose products appeared to be targets of CIA cyberattacks that included breaking into phones, computers, cars and televisions.

“WikiLeaks has a lot more information about what has been going on with the cyberweapons program. After considering what we think is the best way to proceed and hearing these calls from some of the manufacturers, we have decided to work with them to give them some exclusive access to the additional technical details that we have so that fixes can be developed and pushed out, so people can be secure,” Assange said.

He did not detail how WikiLeaks would securely pass the information on to tech firms or to which companies the data would be distributed.

Once companies have had a chance to ensure that consumer devices are properly protected, Assange said, the group will release the code showing how the CIA managed to break into phones, work around encrypted messaging apps and avoid detection by software designed to defend against cyberattacks.

WikiLeaks published a cache of nearly 9,000 documents that the group said had been leaked by a CIA contractor. Though the CIA itself has declined to comment on the authenticity of the documents, several cybersecurity experts interviewed by The Chronicle, including some with previous government experience, said the trove of data appears legitimate.

The initial document release on Tuesday was only a piece of a greater stash of information WikiLeaks said it had hesitated to reveal, due to the sensitive nature of the information and how extensively it could endanger people’s personal data.

In a statement that accompanied the documents, WikiLeaks said it avoided “the distribution of ‘armed’ cyberweapons” before those tools could be disabled and rendered relatively benign.

Companies named in the leak, including Apple, Google, Microsoft and Samsung, said this week that they are investigating the claims and patching security holes.

According to the leaked documents, the CIA discovered and kept secret 14 methods of exploiting Apple devices. Those vulnerabilities are known as zero-day attacks, meaning they pounce on security defects unknown even to the company itself and, therefore, have no known fix.

The spy agency also collected 24 “weaponized” zero-day exploits against Android devices, the documents said, and engaged in an attack called “Weeping Angel” that turned Samsung Smart TVs into listening devices by putting the television sets in a fake off-mode while hackers used them to record conversations.

Security experts were outraged over the leak, in part, they said, because by keeping information about technological vulnerabilities to itself, the spy agency could have put the personal data of countless people at risk of being hacked by cybercriminals or other countries.

Assange suggested during Thursday’s news conference that the CIA may have used some of these tools to spy on Americans, which would be a violation of the agency’s legal mandate.

He said WikiLeaks had received a list of more than 22,000 IP addresses — numbers that correspond with individual computers — associated with U.S. computers that could have been used in CIA attacks or targeted by CIA hackers.

Those IP addresses have not be released nor independently verified.

The CIA has denied that it uses electronic surveillance against Americans, and many cybersecurity experts cautioned against trusting Assange, whom many consider to be a tool of Russia.

Samsung, Google and Apple did not immediately respond to requests for comment on Assange’s offer.

©2017 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.