Apple claims WikiLeaks vulnerabilities fixed years ago
Fri 24 Mar 2017
Apple has stated that the vulnerabilities pointed out in the latest WikiLeaks data dump from ‘Vault 7’ were fixed many years ago, and that the hacking methods purportedly used by the CIA would not work on today’s devices.
After assessing the claims put forth in the Vault 7 documents, Apple has asserted that while the vulnerabilities did exist at one time, they were fixed as early as 2009, and that later iterations of iPhones and Macs could not be exploited using the methods outlined. They also noted that the vulnerabilities and their fixes have long been a matter of public record.
‘Vault 7’ refers to a series of data dumps performed by the website that consist of confidential documents from the CIA, which purport to make public the agency’s ‘hacking arsenal.’ The most recent of the Vault 7 releases, made public just yesterday, claimed that the CIA could access information stored on Apple devices once they had physical access to the device in question.
Using a ‘sonic screwdriver’ attack, the WikiLeaks documents say, the CIA could infect a Mac’s firmware using an Ethernet adapter plugged into the device’s Thunderbolt port. A different document described how an agent could infect a new iPhone as well.
With the release, WikiLeaks posited the possibility that physical access to a device was not always necessary, because the physical asset attacks by the CIA could have been used to infect a target’s supply chain by intercepting and infecting communications.
“While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.”
In a written statement delivered to Business Insider, Apple confirmed that the vulnerabilities from the Vault 7 documents were known and fixed years ago. The iPhone vulnerability, in particular, affected only the iPhone 3G and was fixed in 2009 with the release of the 3GS. The Mac vulnerability was recognized and corrected in all Macs as of 2013.
The company also confirmed that they have not negotiated with WikiLeaks for information, and have instructed the company to submit any information pertaining to the company or its devices through standard channels. Apple has not received any confidential information from WikiLeaks, the company asserts, and all information about Apple and its products from Vault 7 is already part of the public domain.
The statement concludes, “We are tireless defenders of our users’ security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users.”