WikiLeaks released thousands of documents that detailed the capabilities of thousands of tools used by the CIA for compromising various types of consumer electronics, collectively designated as the Vault 7 leaks. The tools used undisclosed security holes known as zero day vulnerabilities to covertly take over smartphones, televisions and vehicle control systems.
Tech companies scrambled to fix the security holes, but the leaks gave little details that the companies needed to identify and plug the security holes. Julian Assange offered to provide the tech companies with the necessary details through direct channels.
The companies have reportedly received emails from WikiLeaks. They contain a document with conditions that the companies are expected to sign, before WikiLeaks starts disclosing the details of the zero days. The exact conditions are unknown, but apparently one of the demands is that the companies should fix the security holes within ninety days of being made aware of them, according to a report in Motherboard.
WikiLeaks has contacted Apple, Microsoft, Google, Mozilla & MicroTik to help protect users against CIA malware
— WikiLeaks (@wikileaks) March 14, 2017
The offer puts technology companies between a rock and a hard place. Even without the conditions, gaining access to information about zero days from WikiLeaks is a legal quagmire. The documents and information available with WikiLeaks is highly classified information, and the possibility that other state sponsored actors, say from Russia, are not involved in the leaks cannot be entirely ruled out.
Signing any agreement with WikiLeaks would only introduce further layers of legal complications. Apple said in a statement that the latest version of its software is safe from the vulnerabilities exposed in the Vault 7 dump. Microsoft asked anyone with information on zero days to contact its security team directly.
The Vault 7 leak exposes the greater exposure to threats that the public around the world faces when security agencies hoard zero days. Last year, the ShadowBrokers also obtained a treasure trove of NSA tools. The information security community argued about the implications of state sponsored actors collecting zero days, and the potential repercussions of these tools finding their way into the hands of criminals.
Publish date: March 20, 2017 5:17 pm| Modified date: March 20, 2017 5:17 pm