Security Experts:

WikiLeaks to Share CIA Hacking Tools With Tech Firms

WikiLeaks has decided to share information on the alleged CIA hacking tools with the tech companies whose products are affected, but the White House has warned that there may be legal repercussions.

The Vault 7 files made public this week by WikiLeaks appear to show that the intelligence agency has had the tools and capabilities to hack a wide range of systems, including mobile and desktop devices, networking equipment, and Internet of Things (IoT) devices.

The products of several major companies are mentioned in the leaks and many of them have asked the whistleblower organization to share additional information to help them ensure that their customers are protected against possible cyberattacks.

While it has published numerous documents containing technical information, WikiLeaks initially said it would not release any actual tools or exploits “until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed, disarmed and published.”

However, WikiLeaks founder Julian Assange said in a press conference on Thursday that the decision to not release the exploits limits the ability of vendors to issue security fixes. That is why WikiLeaks has decided to share information with impacted companies.

“We have decided to work with them, to give them some exclusive access to the additional technical details we have so that fixes can be developed and pushed out so that people can be secured,” Assange said. “And then, once this material is effectively disarmed by us, by removing critical components, we will publish additional details about what has been occurring.”

It’s worth noting that WikiLeaks has launched a poll on Twitter, asking users if more details should be shared with tech companies, and 57 percent of respondents said “Yes, make people safe,” while 36 percent of respondents said “No, they’re the problem.”

While the decision to share technical details with technology companies may be good news, White House representatives have warned about the possible legal repercussions for these firms.

“If a program or a piece of information is classified, it remains classified regardless of whether or not it is released into the public venue or not,” said White House press secretary Sean Spicer. “I would just suggest that someone consult with [the Department of Justice] regarding the legal repercussions of any individual or entity using any piece of still-classified information or technique or product that hasn’t been declassified.”

Based on the information made public by WikiLeaks, security firms and major tech companies such as Microsoft, Apple and Google have determined that many of the vulnerabilities leveraged by the alleged CIA tools don’t affect the latest versions of their products. In fact, some of the flaws were patched several years ago.

The CIA has refused to comment on the authenticity of the leaked documents, but pointed out that the agency is legally prohibited from spying on individuals in the United States.

Related: "Vault 7" Leak Shows CIA Learned From NSA Mistakes

Related: Government Contractor Indicted Over Theft of Secret Documents

Related: Required Insider Threat Program for Federal Contractors - Will It Help?

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.