Apple engineers working to address remaining CIA exploits, but two factors hampering efforts

The WSJ reports that Apple engineers are working to address the remaining iOS exploits reportedly used by the CIA, but they and other tech companies are being hampered by two factors. The first is lack of any access to the code itself.

Apple engineers quickly began calling colleagues to bring them up to speed on the data dump and to coordinate the company’s response to this new security threat, according to a person familiar with the situation […]

Companies now find themselves in a difficult position: They believe that at least two organizations have access to hacking code that exploits their products — the CIA and WikiLeaks — but neither one is sharing this software …

Cisco – whose devices were also targeted – says that this severely limits the ability of engineers to plug the holes described in the documents.

Cisco, which makes routers and other internet equipment, said that without more information on the exact tools and malware involved, “the scope of action that can be taken […] is limited.”

One possibility is that the leaks may force the government to disclose the vulnerabilities to tech companies through the Vulnerability Equities Process, but even if this happens, it is likely to take considerable time.

Officials are discussing whether to use that process to disclose more information about the issues described in the documents released by WikiLeaks, but that is likely to involve a lengthy interagency review, said one person familiar with the situation.

The second challenge is that the vulnerabilities described to date may be just the tip of the iceberg. It has been claimed that the 8,761 documents so far released by Wikileaks amounts to just 1% of the material it holds – meaning that a great many additional vulnerabilities exist.

It’s a scenario that could very well repeat itself again if WikiLeaks discloses new secrets allegedly taken from the CIA. The group says that it has now disclosed just 1% of the documents in its possession. “If it is the case that they have so much more, that, I think, will have a lot of people quite nervous,” said Thomas Rid, a professor of security studies with King’s College London.

Apple said on Tuesday that ‘many’ of the exploits described in the first data dump had already been patched, but did not give any indication of the approximate percentage.

While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue to work rapidly address any identified vulnerabilities.

Google issued a statement using similar wording to Apple, stating that it was confident that ‘many’ of the vulnerabilities have already been addressed.

Photo: AFP PHOTO/Jewel Samad

You can follow on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Apple and the Web.