A man checks his phone next to billboards advertising the an Apple iPhone 7 smartphone as he stands on Oxford Street in London on March 7, 2017. American and British spy agencies have shared iPhone exploits, according to CIA files leaked by Wikileaks today. (Photo credit) CHRIS J RATCLIFFE/AFP/Getty Images)
If you’re an iPhone user, there’s a slice of good news amongst the reams of Central Intelligence Agency cyberarms dropped by Wikileaks today: there are no obvious new exploits affecting Apple’s latest iOS. As iOS exploit expert Will Strafach told Forbes: “I do not believe any iOS user running iOS 10+ has any cause for concern by this… [I’m] trying to clearly figure out if average iOS users should be concerned about a malicious party using the released content to hack their device, and the answer is no, it seems.”
But there are reasons for Apple customers to be concerned about the latest CIA leaks, regardless of the belief they have better security than Android users. The epic Wikileaks data dump makes it more apparent than it already was that the CIA, like any intelligence agency, has a penchant for breaking the security of iPhones (and Androids, Windows phones or any popular technology for that matter).
And it likes to borrow, buy and share, if the Wikileaks files are legitimate (Forbes has not been able to verify the veracity of the leaks, though many now believe them to be real). Amongst those iOS exploits leaked are two purchased by the agency from cyberarms dealers under the codename Baitshop. Some were borrowed from other agencies, including the NSA and the UK’s GCHQ, while others came from public research. A handful were found by CIA analysts. In other words, they have a lot of choice when it comes to acquiring hacks of iPhones.
iOS 10 could still be vulnerable
Currently, there’s no leaked code, making it difficult to determine if any previously-unpatched vulnerabilities (so-called zero-days) have been let loose in Wikileaks leak. But there were a handful of exploits for iOS 9.2, according to a document dated August 2015. One iOS security researcher, who asked to remain anonymous, noted that a handful were not marked as dead by the CIA, nor had they been publicly revealed.
In a table of the CIA’s iPhone hacks was a column named “Death Date,” indicating when vulnerabilities were fixed. The researcher pointed to two exploits, Nandao and WinterSky, as of particular concern, as both worked on iOS 9.2 and had no death date. Nandao was uncovered by GCHQ and affected the heart of iOS, the kernel. WinterSky appears to have come from CIA’s own research department.
Stefan Esser, a renowned iOS exploit expert and the only named external researcher in the CIA’s list, said he was not aware of any of those recent bugs being fixed. “Even if they have, the CIA and every other major player will have different new bugs,” Esser added.
As noted by Edward Snowden, one of the more important aspects of the leak was the borrowing and sharing of malicious code. Looking at the purchased hacks, one of the exploits called Earth/Eve was bought by the NSA, according to the file on Wikileaks. It was shared with the CIA and then re-purposed by GHCQ, the document read, something Snowden believed was a concern, given the U.K.’s snooping on journalists and activists.
— Edward Snowden (@Snowden) March 7, 2017
And, according to the anonymous security researcher, the CIA’s techniques for getting persistence on a hacked iPhone were similar to those from an Israeli cyber arms dealer called NSO Group. The company’s Pegasus iOS malware was linked to attacks on iPhones of a prominent UAE activist and a Mexican journalist. NSO Group is also a portfolio company of U.S.-based Francisco Partners, which owns a handful of other government surveillance suppliers, one of which was associated with Turkey’s spy operations.
Apple hasn’t replied to requests for comment on the leaks. And until it does, it’s unclear if any of the exploits still work on iOS 10 and above.
Wikileaks has promised more is to come from the CIA leaker, whose identity remains unknown.
Got a tip? Email at TFox-Brewster@forbes.com or firstname.lastname@example.org for PGP mail. Get me on Signal on +447837496820 or email@example.com on Jabber for encrypted chat.