The Central Intelligence Agency was implicated this week in a clandestine effort to defeat encryption on phones, laptops, smart TVs, and even connected cars. Among the startling revelations was the agency’s hoarding of zero day exploits — unpatched bugs — that could grant intelligence agents access to encrypted iPhones. But there may be less cause for alarm than the leaked documents led many publications to believe.
One Wednesday, a spokesperson for Apple told members of the press that a number of security loopholes were closed in the latest version of iOS, the iPhone’s operating system.
“Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system,” an Apple spokesperson told Motherboard. “While our initial analysis indicates that many of the issues leaked were patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities.”
Wikileaks, which published internal CIA documents earlier this week, didn’t distribute any of the exploits. But leaked spreadsheets detailed several of the methods circulated among the world’s top intelligence agencies, including the CIA, FBI, and GCHQ, the U.K.’s electronics intelligence agency.
Earth/Eve was an exploit purchased by the NSA and later shared with the CIA. GCHQ discovered a critical zero day code named Nandao. The CIA uncovered a bug that allowed agents to remotely control a targeted device. And the FBI’s Remote Operations Unit, one of the Bureau’s hacking divisions, discovered an iOS 7 hack.
Other attacks were mentioned in a user guide for “MCNUGGET,” a tool that breaks encryption on iOS 8.0-8.1.3 devices. Another user guide referenced “DRBOOM,” a script that lets an attacker with physical access to an iOS 7-8.2 device install persistent malware. And still other documents listed exploits that have been publicly disclosed, including one by Chinese jailbreaking team Pangu and iOS security researcher Stefan Esser.
In all, the documents named 14 separate exploits and attacks.
Just because Apple has patched a few of iOS’s vulnerabilities doesn’t mean your phone is now safe from prying eyes. The CIA has reportedly broken the security of popular chat apps like WhatsApp, Signal, Telegram, Weibo, and others by intercepting messages and photos before they could be encrypted. And Android phones aren’t immune — according to Wikileaks, the CIA had 24 weaponized Android “zero day” software programs by the end of 2016.
Still, updating your iPhone to the latest software version will reduce some potential vulnerability, at the very least.
- Apple iOS 11.2.2 update offers a fix to the Spectre security vulnerability
- iOS 12 and new MacOS may let Mac users download iPad apps
- Here’s how to enroll in the iOS beta program to get updates early
- Apple demands DMCA takedown of secret iBoot code leaked on Github
- The iOS 11.3 update lets you to turn off performance throttling on your iPhone