Julian Assange’s WikiLeaks didn’t earn itself much love from the infosec community when it (incorrectly) claimed in its Vault 7 press release that encrypted chat apps like Signal and WhatsApp had been cracked by the CIA (they haven’t), and some in the media made the mistake of getting very excited with the concept that your Samsung TV might have been remotely hacked to spy on your conversations (it hasn’t).
The reality is that the vast majority of us should be worrying much more about being phished by the next email we receive than by WikiLeaks’s revelations of alleged zero-day vulnerabilities held only by the CIA.
Nonetheless, if there are unpatched vulnerabilities in Android, iOS, Windows etc that law enforcement agencies are aware of (and potentially using) but have not informed the software manufacturer about then that’s a big problem.
Because if an intelligence agency has worked out a way of hacking a smartphone remotely, for instance, then there’s a chance that others have worked it out too. Including criminal gangs or rogue nation states.
The best course of action for millions of innocent technology users around the world is for vulnerabilities to be responsibly reported and patched quickly by vendors.
Put simply: If, say, the CIA doesn’t share details with a technology firm about the exploitable flaws it has discovered there is a chance that the very people the CIA is trying to protect could themselves be hacked.
So, I was pleased to hear Assange say at an online press conference that WikiLeaks had decided to share details of the vulnerabilities with the relevant vendors so fixes could be rolled out:
“We have decided to work with them, to give them some exclusive access to the additional technical details we have so that fixes can be developed and pushed out so that people can be secured. And then, once this material is effectively disarmed by us, by removing critical components, we will publish additional details about what has been occurring.”
What a shame that Assange did not co-ordinate with vendors *before* releasing the “Vault 7” data dump. What a positive story that could have been.
As Forbes reports, WikiLeaks doesn’t yet seem to have shared any details with Google and Microsoft at least.
Let’s hope that this information-sharing is happening as we speak, so any remaining vulnerabilities are not left unpatched for any day longer than necessary. Any delay in sharing the details would reflect very poorly on Assange and his WikiLeaks organisation.
You can hear some of my personal views about WikiLeaks’s release of the “Vault 7” CIA data dump in this episode of the “Smashing Security” podcast where I was joined by Carole Theriault and special guest Paul Ducklin (better known as “Duck”).