PhotoAmong this week's revelations in the release of thousands of purported CIA files is the contention that some flawed computer security software is going unrepaired because U.S. intelligence agencies find them useful.

The files, code-named Vault 7, contend that the CIA knows about various security flaws but hasn't alerted the manufacturers because it wants to keep using them to spy on its targets.

On the heels of the document release, The Daily Mail reports that WikiLeaks director Julian Assange is offering to provide details of the defects to the appropriate companies. The information was redacted from the document release so that it would not be distributed any further among hackers than it already has.

A lot more information

Assange told reporters that he has access to "a lot more information" that he is willing to make available to companies so they can make their consumer products more secure.

"After considering what we think is the best way to proceed and hearing these calls from some of the manufacturers, we have decided to work with them to give them some exclusive access to the additional technical details that we have, so that fixes can be developed and pushed out, so people can be secured," Assange said in a video posted on The Daily Mail website. "And then once this material is effectively disarmed by us, by removing critical components, we will publish additional details about what has been occurring."

The documents published by WikiLeaks claim the CIA has penetrated the operating systems of iPhones and Android devices to intercept messages. Some documents alleged the spy agency is able to use Samsung smart TVs to listen in when the set is believed to be turned off.

Silicon Valley skepticism

But another British newspaper, The Guardian, reports tech companies appear to be in no rush to take Assange up on his offer. In fact, The Guardian quotes Ryan Kalember, a senior executive at Proofpoint, as finding "nothing earthshattering" in the documents. He says some of the systems mentioned in the documents are old and are either no longer used or have been updated.

In other words, he says it really isn't clear how many of the vulnerabilities highlighted in the documents are real. Another anonymous security researcher dismissed the documents as "unimpressive," saying they show a lack of technical sophistication at the CIA.

Writing on Sophos Software's Naked Security blog, John E. Dunn also seems to classify the document dump as old news.

"The significance of Samsung TV hacking is not that the CIA will do this to the average citizen – CIA target lists are tiny – but that they can do that at all," Dunn writes. "As we know from numerous IoT vulnerability stories, these devices have a security problem."

The same is true, he writes, for vulnerable smartphone messaging programs. The big news, he concludes, is the CIA somehow lost control of these documents. If WikiLeaks can get its hands on them, so can a lot of other people.


Share your Comments