WikiLeaks will release to tech firms the software code of CIA hacking tools that were designed to compromise smartphones and other products, the group’s founder said Thursday, attempting to position himself as a defender of cybersecurity and probably further antagonizing the intelligence community.
“We have decided to work with” the firms, WikiLeaks founder Julian Assange said at a news conference, “to give them some exclusive access to the additional technical details we have so that fixes can be developed and pushed out, so that people can be secured.”
Once the patches are sent out — or, as Assange put it, “once this material is effectively disarmed by us” — WikiLeaks will release more details publicly, he said.
Assange’s remarks come two days after the radical transparency site put up a cache of files describing secret CIA hacking techniques and tools aimed at, for instance, seizing control of iPhones and Google’s Android phones, turning some Samsung television sets into bugging devices and getting data from devices not connected to the Internet. The release stopped short of releasing the code itself.
Some national security experts wondered why WikiLeaks had not already shared the software flaws.
“If WikiLeaks were really concerned about user security, they could’ve handed these vulnerabilities over to vendors immediately upon receiving this archive,” said Adam Klein, a senior fellow at the Center for a New American Security and an expert on national security and digital surveillance. “But we know they’ve had it for some time and haven’t done so.”
And Alex Rice, chief executive of HackerOne, the start-up that enlists hackers to share security flaws with tech companies for a profit, said, “This is a critical step that WikiLeaks should have taken immediately upon receipt of such information.”
Others praised Wikileaks’s vow to share data with tech companies. “It’s incredibly good news” for personal cybersecurity, said Nathan White, senior legislative manager for Access Now, a digital rights group. He noted how WikiLeaks also stands to gain from the move, since it has been criticized for publishing information without vetting it for privacy and security in the past.
The CIA continues to have no comment on the authenticity of the documents released, which WikiLeaks said is the first tranche of more to come. Independent experts have said the files appear to describe authentic “exploits,” or tools that hackers can use to penetrate a device, but many of them are dated and appear to have already been patched by tech firms. And researchers said they have been long aware of a number of the techniques.
A CIA spokesman, Jonathan Liu, suggested that WikiLeaks’ pronouncements of the scale and impact of its Tuesday “Vault 7” release are exaggerated. “As we’ve said previously, Julian Assange is not exactly a bastion of truth and integrity,” Liu said. “Despite the efforts of Assange and his ilk, CIA continues to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries.”
U.S. laws and policies bar the CIA from conducting electronic surveillance targeting individuals on U.S. soil. “And CIA does not do so,” Liu said.
Within the CIA, officials were aware before the WikiLeaks release of a loss of sensitive information, according to people familiar with the matter. The CIA’s internal security personnel, who apparently had not told the FBI, were pursuing the matter, but the scope and severity of the problem was unclear until WikiLeaks posted online the roughly 9,000 documents on Tuesday, these individuals said.
An immediate challenge for FBI investigators hunting for a possible mole is to pare down a list of suspects from the pool of people who had access to the information leaked — a challenging task, given that hundreds and potentially thousands of people had access to the data.
After Assange’s news conference Thursday, tech companies deliberated the consequences of taking data from WikiLeaks, according to a person familiar with the discussions. They considered the legal implications of using information from documents obtained illegally and the political fallout from doing so. They questioned whether Assange was attempting to further drive a wedge between the technology industry and the U.S. government.
Apple declined to comment on Assange’s statements. The company said earlier this week that “many” of the vulnerabilities identified in the WikiLeaks documents had already been patched, and encouraged customers to download the most recent security update. Roughly 80 percent of customers using Apple’s iOS software have downloaded the latest update, the company said.
Google declined to comment.
The CIA dismissed any suggestion that WikiLeaks’ release served the interests of privacy and security.
“The American public should be deeply troubled by any WikiLeaks disclosure designed to damage the intelligence community’s ability to protect America against terrorists and other adversaries,” Liu said. “Such disclosures not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm.”
Sen. Ben Sasse (R-Neb.), a Judiciary Committee member, on Thursday sent a letter to Attorney General Jeff Sessions on the issue. He asked if the Justice Department believed that Assange broke the law by releasing the CIA materials. Sasse said he looked forward to a “prompt response.”