The leak follows other incidents in recent years that have driven a wedge between the tech industry and the U.S. national security apparatus—most notably Edward Snowden’s 2013 revelations of U.S. surveillance programs. Those episodes have made tech companies wary of cooperating with the federal government on issues involving customer privacy.
“I can’t imagine that this doesn’t widen the rift between Silicon Valley and intelligence agencies,“ said Jake Williams, founder of Rendition InfoSec LLC., a company that sells computer security services. “I can’t fathom a business owner saying, ‘Cool I’m definitely going to help you and risk the future of my organization.’”
Apple late Tuesday said its analysis found that many of the potential vulnerabilities disclosed were patched by the latest version of iOS, its mobile operating system. Microsoft and Google said they were investigating the issue. Samsung didn’t immediately respond to a request for comment. The CIA declined to comment on the authenticity or content of the WikiLeaks documents.
The documents raise anew questions about what responsibility the federal government has to notify companies of security flaws in their products that it knows about. Beyond concerns about privacy from government intrusion, security specialists worry that weaknesses the government exploits could also be used by criminals or other nation-state attackers.
“We need to have a national conversation and some rules about when the government has to take steps to make us all safe and when the government might sit on a vulnerability,” said Cindy Cohn, executive director of the Electronic Frontier Foundation, a digital rights advocacy group.
She pointed also to a separate leak in August of a database of hacking tools purportedly lifted from the National Security Agency that included code that could be used to attack products built by Cisco Systems Inc., Juniper Networks Inc. and others.
Mr. Snowden’s disclosure of surveillance programs, such as the NSA’s PRISM effort, fueled a perception that Silicon Valley was uncritical accomplices in the government’s mass surveillance efforts, damaging their reputations. Because the CIA does more targeted data collection than the NSA, the latest documents are unlikely to have as dramatic an effect as Mr. Snowden’s leaks did, said James Lewis, senior vice president with the Center for Strategic International Studies.
Security experts said that, at first glance, the documents don’t appear to describe extremely sophisticated attacks on mobile phones. In addition, the documents don’t include some of the most sensitive attack code purportedly used by the CIA, so these methods can’t yet be used by others—though WikiLeaks said that it could publish more details in the future.
On the other hand, it is still bad news for consumers, Mr. Lewis said. “If you are a consumer and you think the technology you use is safe, you are sadly deluded,” he said.
Apple, in particular, has emphasized its efforts to protect user privacy on its iPhones and other devices. Last year, the Federal Bureau of Investigation asked Apple to develop a technique to allow it to break into the locked iPhone of San Bernardino attacker Syed Raheel Farook. Apple refused, saying that such a technique would amount to a back door into its products—something that could be misused by others.
“We feel strongly that our customers, their families, their friends and their neighbors will be better protected from thieves and terrorists if we can offer the very best protections for their data,” Apple General Counsel Bruce Sewell told Congress last year.
While they describe a number of smartphone attacks, the documents don’t reference direct attacks on encrypted messaging software such as Signal or Facebook Inc.’s WhatsApp. To get access to phone messages, the CIA appears to instead focus on compromising phones’ operating systems.
That makes spying on messages more costly and less effective than it would be without encrypted messaging, said Moxie Marlinspike, a founder of Open Whisper Systems, which created the underlying encryption software used by the WhatsApp and Signal messaging tools. “In a larger sense, we see this as confirmation that what we’re doing is effective,” he said.
/WSJ/
More about: #Wikileaks
