Apple: CIA’s Mac, iPhone Vulnerabilities Already Patched

Apple Tells WikiLeaks to Submit CIA Exploits Through Normal Process

Apple’s initial analysis of the iPhone and Mac exploits disclosed by WikiLeaks on Thursday shows that the vulnerabilities they use have already been patched. The company told WikiLeaks to send the information it possesses through the regular submission process.

WikiLeaks’ second “Vault 7” dump, dubbed by the organization “Dark Matter,” includes documents describing tools allegedly used by the U.S. Central Intelligence Agency (CIA) to spy on iPhones and Mac computers. However, installing the implants requires physical access to the targeted device.

The documents are dated 2008, 2009 and 2012, but WikiLeaks claims it has information that the CIA has continued to work on these tools. Apple has conducted a preliminary assessment of the latest WikiLeaks disclosure and determined that the vulnerabilities described in the documents were patched years ago.

“Based on our initial analysis, the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released. Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013,” Apple told SecurityWeek.

Apple’s claim that it has “fixed” all “vulnerabilities” described in DARKMATTER is duplicitous. EFI is a systemic problem, not a zero-day.

— WikiLeaks (@wikileaks) March 24, 2017

Apple’s analysis of the first Vault 7 leak also showed that many of the disclosed iOS exploits had already been patched in the latest version of the mobile operating system.

The tools described in the Dark Matter leak include Sonic Screwdriver, which is designed to allow code execution on a Mac laptop with password-protected firmware via an exploit stored on a Thunderbolt-to-Ethernet adapter.

The DarkSeaSkies implant is designed for targeting the EFI on MacBook Air computers, while NightSkies can be used to steal data from iPhones.

The documents show that the exploits can be delivered either via a supply chain intercept or by giving the manipulated device to the target as a gift. However, some believe the claims made by WikiLeaks regarding supply chain interception are misleading.

Apple has not negotiated with WikiLeaks

WikiLeaks has not made public any of the actual exploits, but it has promised to share them with affected tech companies. However, the whistleblower organization wants these companies to meet certain conditions, including to promise to patch the vulnerabilities within 90 days.

While Mozilla has accepted WikiLeaks’ offer, it appears Google, Apple and other companies are not eager to cooperate, which WikiLeaks has blamed on “conflicts of interest due to their classified work for U.S. government agencies.” Apple said it had not negotiated with WikiLeaks for any information.

“We have given them instructions to submit any information they wish through our normal process under our standard terms,” Apple said in its statement. “Thus far, we have not received any information from them that isn’t in the public domain. We are tireless defenders of our users’ security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users.”

Related: Cisco Finds Zero-Day Vulnerability in ‘Vault 7’ Leak

Related: “Vault 7” Leak Shows CIA Learned From NSA Mistakes

Related: Industry Reactions to CIA Hacking Tools