Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security “zero days” and other surveillance methods in the possession of the Central Intelligence Agency. The communication, reported by Motherboard, came a week after Julian Assange’s initial statement that he would help the companies close security loopholes disclosed in a set of leaked CIA documents.
Wikileaks’ demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard’s sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.
Get Data Sheet, Coins2Day ’s technology newsletter.
In a statement late Friday, WikiLeaks announced that some organizations, including Firefox maker Mozilla, have already decided to play ball. The statement also lays out one reason companies might be moving slowly to respond to what it calls an “industry standard responsible disclosure plan.”
Update on CIA #Vault7 "zero day" software vulnerabilities
Ref: https://t.co/h5wzfrReyypic.twitter.com/WEiyptlRu3
— WikiLeaks (@wikileaks) March 18, 2017
The security vulnerabilities were disclosed in CIA documents likely handed to Wikileaks via intelligence contractors. They include methods for penetrating Android and iPhone smartphones, desktop operating systems, routers, and web browsers. “Zero day” refers to deployments of malware or other hacks before an update or patch is created to resolve the vulnerability. Companies involved include Microsoft, Cisco, ZTE, Huawei, and others.
But Wikileaks’ public document release did not include code or full technical details of the vulnerabilities.
Big tech companies have had a fraught relationship with intelligence agencies in recent years, with prior revelations of surveillance programs leading to efforts to reassure consumers that their devices are safe from snoops. Apple, for its part, has said many of the vulnerabilities described in the documents have already been patched. However, the CIA documents include references to more than a dozen unpatched “zero day” exploits of Apple products.