×

Wikileaks dump: Apple, Samsung, Microsoft react to claims CIA hacked iPhones, TVs

Major technology companies including Apple, Samsung and Microsoft have moved to reassure customers they are safe after a massive Wikileaks document dump revealed devices from phones to TVs were the target of hacks by the U.S. Central Intelligence Agency (CIA).

Wikileaks released 8,761 documents and files on Tuesday outlining the CIA's hacking toolkit. In one instant it described an attack against a Samsung internet-connected TV which was developed alongside U.K. spy agency MI5, in which the set is in a "fake-off" mode, so the owner thinks it is off when it's actually on. The "fake-off" mode acts as a bug, recording conversations in the room and sends them over to the CIA.

"Protecting consumers' privacy and the security of our devices is a top priority at Samsung. We are aware of the report in question and are urgently looking into the matter," a Samsung spokesperson told CNBC by email.

The CIA also has 14 "zero-day exploits" – software vulnerabilities that have no fix yet – to hack Apple's iOS devices such as iPads and iPhones. The Wikileaks documents show how these exploits were shared with other organizations including the National Security Agency (NSA) and GCHQ, another U.K. spy agency. The CIA did not tell Apple about these vulnerabilities meaning they couldn't be fixed.

But the U.S. technology giant came out in strong defense of its security following the leaks, suggesting that it had already patched up most of the vulnerabilities.

"Apple is deeply committed to safeguarding our customers' privacy and security. The technology built into today's iPhone represents the best data security available to consumers, and we're constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system," an Apple spokesperson told CNBC by email.

"While our initial analysis indicates that many of the issues leaked were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates."

A similar toolkit was found for Google's Android mobile operating system, which runs on around nine out of the ten of all the smartphones in the world. The CIA had 24 "weaponized" exploits for Android which it obtained from GCHQ, the NSA and cyber arms contractors.

Google is yet to respond to a request for comment from CNBC.

iPhone 7 charging in an Apple store.
Zhang Peng | LightRocket | Getty Images
iPhone 7 charging in an Apple store.

Wikileaks also claims that the CIA runs a "very substantial effort to infect and control" Microsoft Windows users with malware or malicious software. This is done via zero-day exploits, viruses that infect software distrusted on CDs, malware on USB sticks, and systems that hide data in image files.

"We are aware of the report and we are looking into it," a Microsoft spokesperson told CNBC.

Encrypted messaging services such as Signal and Facebook-owned WhatsApp were also named in the documents. Wikileaks said that because the CIA was able to exploit Android and iOS, they were able to collect audio and message traffic from these apps before they became encrypted.

Signal and WhatsApp have not responded to a request for comment by CNBC. However, Open Whisper Systems which develops Signal, said that the CIA method was about getting malware onto phones rather than breaking the encryption technology used by Signal.

Andy Yen, a co-founder of encrypted email service ProtonMail, explained this point.

"The core cryptographic algorithms and techniques used by ProtonMail and other encrypted services remain secure," Yen said in a blog post on Wednesday.

"The exploitation of user endpoints (mobile phones, personal computers, etc) is actually not a new technique, but one that has existed since the first malware was created. This unfortunately is not something that cryptography is designed to defend against, as encryption by itself cannot guarantee the security of end-user devices."