Two days after WikiLeaks released nearly 9,000 files outlining alleged CIA hacking techniques, the anti-secrecy organization is turning details of those tools over to the technology companies they affect.
Most of the documents in the WikiLeaks release comprise technical instructions on how to perform a variety of tasks, from pirating copies of Windows 8 to turning a Samsung smart TV into a listening device. The documents have yet to be confirmed by the CIA, but if true mean the agency has been stockpiling known exploits rather than disclosing them to manufacturers.
In a live Q&A on Periscope on Thursday, WikiLeaks founder Julian Assange said some of the manufacturers of the affected technologies had asked the organization for more detailed information about the vulnerabilities that had been exploited, and that WikiLeaks would be complying with that request.
Several of those companies have already made public statements about the document dump. Apple said in a statement on Wednesday that “many” of the iOS exploits described in the release had already been patched, noting that it would “continue to work to rapidly address any identified vulnerabilities.” Google gave a similar statement to Recode, saying that its analysis was “ongoing, but that “many” of the vulnerabilities had already been patched.
Cisco, which manufactures some of the affected routers, told The Wall Street Journal that it would need more information about the exploits before it could work on fixing them. Presumably, the company will now be able to get those details from WikiLeaks.
In all, the WikiLeaks documents describe methods for hacking iOS devices (iPhones, iPads), Android devices, OSX devices (such as iMacs and MacBooks), web browsers, Windows computers, Linux computers, routers, and Samsung smart TVs.
The publicity of the leak may shed some unwanted light on the process by which certain companies handle patching publicly disclosed exploits, a process that critics have described as being too slow. In 2012, for example, security researcher Ang Cui informed Cisco of a vulnerability in its voice-over-IP phones that allowed him to turn them into listening devices, a hack not unlike the one described in the WikiLeaks documents for Samsung TVs. It took Cisco four weeks to release a patch, which amounted to just four lines of code and ultimately didn’t work, according to Cui. He and his research partner Michael Costello highlighted that slow pace while speaking about their findings at a conference in Hamburg, Germany later that year.
“Between the time that we notified them and the release date,” Costello noted, “it was approximately one line of code per week.”