Cyber Security

Apple, Google: We’re Ready If WikiLeaks Shows How CIA Hacks Our Phones

That the CIA can hack a phone isn't news. But what if WikiLeaks spills those secrets to the world?

Cyber Security
Apple CEO Tim Cook waves as he arrives on stage during a launch event — Getty Images
Mar 08, 2017 at 4:26 PM ET

Apple and Google are ready to patch any vulnerabilities that WikiLeaks might reveal as part of its dump of CIA documents, the companies say.

The document repository site released the first of its long-teased “Vault 7” files on Tuesday, a trove of files, with users’ names redacted, from the Central Intelligence Agency’s hacking division. Intelligence officials have confirmed WikiLeaks’s documents largely appear authentic, and the CIA reportedly has been aware that such documents were leaked, either by a personal leaker or by hack, as of 2016.

The documents themselves don’t contain actual exploits, which are typically used by hackers to take advantage of vulnerabilities or bugs in software code. But they do make reference to the existence of number of such exploits, particularly that would work on Android phones and iPhones, and WikiLeaks has promised it will release far more related documents. While there’s absolutely no evidence that the CIA has compromised the encrypted messaging app Signal, contrary to some early reports, even using encryption won’t protect your privacy if a government hacking agency has compromised your entire phone.

Just in case WikiLeaks does release such exploits, Apple says it’s prepared. “While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities,” the company said in a statement provided to Vocativ. “Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system.”

Google offered a similar sentiment. “As we’ve reviewed the documents, we’re confident that security updates and protections in both Chrome and Android already shield users from many of these alleged vulnerabilities,” Heather Adkins, Director of Information Security and Privacy, said in a statement to Vocativ. “Our analysis is ongoing and we will implement any further necessary protections.”

It’s not uncommon for intelligence agencies, including the NSA and FBI, to secretly maintain a library of “zero days” — as in, that’s how much time a company’s developers have to patch a vulnerability — which can be used to hack, for instance, a smartphone without the company’s knowledge. If such information were made public and those vulnerabilities were still live, it could give hackers around the world an opportunity to exploit people’s phones.

That’s not to say that any zero days held by WikiLeaks would necessarily still work, as the CIA documents are largely dated from between 2012-2015. Either way, if your phone releases a new operating system, it’s smart to update as soon as possible in case that covers a new vulnerability.