Apple Says It's Already Fixed Many WikiLeaks Security Issues

An anonymous reader quotes a report from USA Today: Apple says many of the vulnerabilities to its devices and software that came to light in WikiLeaks' revelations of CIA cyber weapons were already fixed in its latest updates. Late Tuesday, Apple emailed the following statement to USA TODAY: "Apple is deeply committed to safeguarding our customers' privacy and security. The technology built into today's iPhone represents the best data security available to consumers, and we're constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest OS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates." For its part, Samsung emailed its own statement Wednesday: "Protecting consumers' privacy and the security of our devices is a top priority at Samsung. We are aware of the report in question and are urgently looking into the matter."

Good.

[BronsCon]

I'm glad to see positive response across the board, from Apple, Samsung, and I'm sure others. Especially Apple and Samsung, though, as I have many devices from both of them in my home.

Re:Good.

[Gr8Apes]

Having both, I keep my Apple devices updated, and my Samsung devices disconnected from the internet. Why, because only 1 of my Samsung devices is still supported by Samsung, as most are more than 18 months old and therefore unsupported.

Re:Good.

[BronsCon]

I tend not to keep devices for that long, save for my TV which is going on 6 years now, so that's not really a concern for me. In fact, this is the longest I've kept a cell phone in nearly 2 decades. I won't disagree that it can be an issue for others, though.

Re:Good.

[pushing-robot]

Who cares? A response doesn't have to be original to be appropriate and sincere.

"My cat died yesterday."
"Oh, I'm sorry for your loss."
"You're 'sorry.' Everybody's 'sorry!' What kind of generic bullshit sentiment is that?! Make an effort next time, asshole!"
"I am no longer sorry."

Re:Good.

[rtb61]

When Apple are selling privacy as a premium over M$ and the Windows probe, not bullshit any more but a serious full on business principle that will win the their market. Privacy is pretty much becoming Apple's most valuable selling point (consider the poor get free and probed again and again and again ad infinitum not right to freedom and the better off pay for and get privacy and they will pay a premium for it ie freedom ain't free nowadays and you have to pay for it, want to be free of the probe prodding and a pounding up there, then you will have to pay and even when you pay in M$s case ha ha pound your privacy harder).

There is billions in protecting privacy and make no mistake, you could imagine a company like Apple starting to sue people who invade the privacy of Apple customers via Apple devices (very, very expensive suits as they are also a financial attack on Apple, you can not sell privacy if they steal it from you, and I am talking Apples privacy that they are selling). Privacy is becoming serious business, really serious business.

Re:Good.

[BronsCon]

Because the alternative is going off-grid. Just be selective in what you trust them to do and you'll be fine. I fully expected that they, at least these two, would deny, deny, deny; yet here they are admitting the holes existed. Does that mean I trust that they actually patched them? Irrelevant, really, as I'm absolutely positive there are plenty of others, which were not revealed in this recent disclosure and remain unpatched. But no, I do not.

Re:Good.

[rakslice]

Seeing as these companies stop issuing software updates for previous models before (in some cases well before) telcos' scheduled replacements for the last ones they sent to customers come up, it's hard not to read these statements as basically "the security of our customers is a such a high priority that we will actually try to ensure it, some of the time, if you're lucky".

Re:Good.

[ArmoredDragon]

Who cares? A response doesn't have to be original to be appropriate and sincere.

In general, yes, but Samsung has a long, long history of not giving a shit about security on their smartphones even though they always pretend to.

Re:Good.

[fustakrakich]

A response doesn't have to be original to be appropriate and sincere.

Well, there lies the rub. Why should I believe they are 'sincere' every time they cough up this response when this happens?

Re:Good.

I think the problem is it isn't sincere. Apple have repeatedly demonstrated that Security is a long way down the list to things they consider more important like usability, convenience and whether or not they have the time or desire to fix a problem.

Re:Good.

[Gr8Apes]

It used to not be an issue for me either. However, with the CPU performance bottleneck receding for most of my phone needs, updating a phone has become much less pressing over the past 3 years. At this point the only thing really motivating an update outside of various types of hardware failures including, ahem, dropping your device in a pool or the like.... is lack of updates.

Note also that AVRs, TVs, BD players, and a host of other devices all desire internet connectivity these days. Mine don't have it, so updates are irrelevant. I prefer to run everything through a single control point, my HTPC, and it's one I pretty much control.

Re:Good.

[BronsCon]

I do have my TV on my network; however, it is not a smart TV, just just has a media player feature. It will try to phone home if I tell it to check for updates; however, because I have its MAC blocked at the firewall, it can't. I check manually form time to time and, well, there have been 0 updates in the past 6 years anyway.

It's also not one of the models with a mic and/or camera, so I feel I'm being just the right level of paranoid; I just don't want it getting an "update" that ends up pwning my network.

Re:Good.

[Plumpaquatsch]

I think the problem is it isn't sincere. Apple have repeatedly demonstrated that Security is a long way down the list to things they consider more important like usability, convenience and whether or not they have the time or desire to fix a problem.

Yeah, that's why what Apple says after the boilerplate is "While our initial analysis indicates that many of the issues leaked today were already patched in the latest OS, we will continue work to rapidly address any identified vulnerabilities.", while Samsung says "We are aware of the report in question and are urgently looking into the matter."

Because Apple is not sincere and doesn't really care about security and Samsung is sincere and does care about security.

And we believe them...

why? Because they don't opensource a thing.

Re:And we believe them...

[tlhIngan]

why? Because they don't opensource a thing.

Because it's testable? The vulnerabilities are known now. You can easily take an iOS device, update it and test to see how many vulnerabilities are fixed and how many are still open.

And Apple opensources the core - the kernel and low level code is open source. Not that it means it's bug free (Heartbleed anyone? Shellshock?) since many can exist for years before discovery and exploit.

See the open source stuff for Apple here: https://opensource.apple.com/

Not Buying It

[PeteJanda]

Anyone other than me believe that Apple, Samsung et al. (at a minimum) didn't look the other way before the Wikileaks dump? The OS-level issues really were unknowns for a long enough time that the CIA and other agencies could develop and deploy a playbook for hacking high value targets? What about the other elephant in the room... firmware?

Re: Not Buying It

CIA et al didn't develop this. They bought them from black hats.

Re:Not Buying It

According to the Apple announcement, the vulnerabilities were patched prior to the leak, so your insinuation doesn't fit with the facts.

Re:Not Buying It

[TheFakeTimCook]

Anyone other than me believe that Apple, Samsung et al. (at a minimum) didn't look the other way before the Wikileaks dump?

Nope.

Just you.

Re:Not Buying It

[fustakrakich]

According to the Apple announcement, the vulnerabilities were patched prior to the leak... What 'facts' are you talking about?

Re: Not Buying It

They came from a different sources. Some in-house; some from private companies; some from collected exploits from other intelligence agencies; and some collected from foreign intelligence sources.

Re:Not Buying It

> What about the other elephant in the room... firmware?

I honestly wonder if Intel's IME & AMD's equivalent wasn't designed by the government. Hmm, so you have a processor on my processor that's totally a black box and it can control the entire machine? Who here doesn't believe they own that thing completely?

Re:Not Buying It

[larkost]

That would be pretty silly for Apple, since now anyone who cares to download and figure out the exploits can test them for themselves. Someone checking them on this would be easy, and a huge black eye for Apple. You really are off into conspiracy theory territory.

Re:Not Buying It

[AHuxley]

The crypto held as so many smart people around the world use it and international conferences have faith in quality crypto.
Re "The OS-level issues really were unknowns for a long enough time that the CIA and other agencies could develop and deploy a playbook for hacking high value targets? What about the other elephant in the room... firmware?"
The trendy device is the "elephant in the room". Interesting people want to carry and be seen with a US designed device. A powered device with a mic, camera, gps, video and text to collect with.
The way in is the OS, software and hardware. The user creates a message, the CIA gets a copy. The user gets a message, the CIA gets a copy.
The crypto protected the message but the end points fail due to hardware and OS design?
Why would any brand be that sloppy and allow an OS to copy and send out data acting as such malware given all the past malware efforts?
Over time different groups found the same issues in the wild and over the years everything got more secure.
Yet the CIA stays in? Would the CIA risk ever losing an interesting person given random OS upgrades and what internal and external efforts might have found?
The next question is why was the CIA was not seen in the hardware, software extracting copies of data and having that data sent out.
Thats a lot of new data usage and some extra code to find. Why is no "app" or the OS or telco looking for such changes in closed hardware and software?
How is that been hidden?
The telco gets a police setting and fails to report the extra data usage?
A police setting helps hide such code for law enforcement globally and the CIA gets to stay in deep with the same methods?
Big US brands don't have a complex production line for every nation, so police access has to be granted globally or devices won't get sold in a lot of nations under their national telco laws.

Re:Not Buying It

[TheFakeTimCook]

Perhaps, the only reason the information was leaked in the first place is because 'those' vulnerabilities have been fixed and there's no value to them anymore.

So now WIKILEAKS is part of the Conspiracy?!?!?

Re:Not Buying It

[UnknowingFool]

You mean a company whose reputation is under intense criticism all the time like Apple would never patch holes they know about. Have you thought about what you just said? Granted Apple might not be the most best at finding holes or transparent about them; that does not mean they don't try to patch them when they find about them.

Re:Not Buying It

[UnknowingFool]

How old is the information from WikiLeaks? Your assumption is that all the information is current and not older. My analysis of the WikiLeaks dump is that the information starts from 2014.

Now companies need spies in the CIA/FBI

[yorgasor]

Since the CIA & FBI are keeping the vulnerabilities they find secret, these companies just need to start planting spies in the CIA & FBI to find out what bugs they have on their software.

Re: Nope

I think you're on the wrong side of the usability/security tradeoff for most people.

If you read it "of the technologies available to most people, an IOS device is the most secure", its probably true.

"Legitimate documents"

I guess that answers whether the leaks were legitimate. The first spate of news after the leaks tried to paint a "if you've done nothing wrong" picture and adding speculation on if it was even legit.

And, of course, the "if you've done nothing wrong, you have nothing to hide" argument is complete BS when it comes to privacy issues.

Re: Nope

[BronsCon]

TrueCrypt is available to most people; it is free and not too difficult to set up. A safe can be had for $100 or less. If you can afford an iPhone, you can afford a laptop and a safe. Affording TrueCrypt is a given, as it's free. That's not where that AC's argument falls apart.

That argument falls apart when you realize that TrueCrypt hasn't been under active development in quite some time and has, in fact, been abandoned by its developers with a warning that it may be vulnerable. Coupled with the fact that even the most expensive of safes are trivial to crack when compared to decent full disk encryption, which renders the entire "safe" point meaningless as well.

Re:Nope

[93+Escort+Wagon]

TrueCrypt FDE on a laptop stored in a safe.

... encased in cement sitting on Mars.

Keep an eye out for Unlocked Phones

[SeattleLawGuy]

I'm glad to see positive response across the board, from Apple, Samsung, and I'm sure others. Especially Apple and Samsung, though, as I have many devices from both of them in my home.

Keep an eye out for updates on "Unlocked" Phones that have switched networks. For some insane reason phones are marketed as "unlocked" when they can be used on another carrier's network, but *the security updates don't work* if you use them on the other network. These should probably be considered unmarketable and therefore not unlocked--and there should be a convenient way to pull signed security updates from the manufacturer instead of the carrier. Samsung and Apple issuing patches doesn't help if Verizon and AT&T fail to talk to each other enough for users on both networks to get the security updates, regardless of who originally installed a given phone's O/S.

Re:Keep an eye out for Unlocked Phones

[BronsCon]

You can often get updates direct from the manufacturer for Android phones; you just don't get them OTA. Even if not made generally available, they're more than happy to supply them to you if you call in and tell them you've managed to brick your firmware and need a factory image to restore from. thus far, I've been able to get them one way or another from Motorola (both pre- and post-acquisition), HTC, LG, and Samsung. I haven't yet not been able to get updates directly from a manufacturer.

Re:Keep an eye out for Unlocked Phones

[lokedhs]

I've heard about software updates being pushed by the carrier instead of the vendor, but my understanding is that this is something that is strictly limited to the US market. In the rest of the world things work the way they are supposed to.

Re:Keep an eye out for Unlocked Phones

[santiago]

Updates for iPhones come direct from Apple. There's no gating by carrier, because Apple had the clout to tell the carriers to shove it when it came to customizing it with their particular crapware.

Re:Keep an eye out for Unlocked Phones

[cstacy]

Updates for iPhones come direct from Apple. There's no gating by carrier, because Apple had the clout to tell the carriers to shove it when it came to customizing it with their particular crapware.

It's called a "cloud", not a "clout".
Use a spellchecker, dude!

Re:Keep an eye out for Unlocked Phones

[benjymouse]

Updates for iPhones come direct from Apple. There's no gating by carrier, because Apple had the clout to tell the carriers to shove it when it came to customizing it with their particular crapware.

It's called a "cloud", not a "clout".
Use a spellchecker, dude!

From https://www.vocabulary.com/dictionary/clout

clout
When you speak of someone having clout, it usually means that they communicate a sense of power or influence, particularly in the political sense. "You’ll wanna talk to that big guy over there if you want me to let you in. He’s got clout."

Use a dictionary, dude!

Re:Keep an eye out for Unlocked Phones

[thegarbz]

What's a locked phone? Is that an American thing? I thought the entire world abolished carrier locking in the 90s.

Re:Keep an eye out for Unlocked Phones

[cstacy]

AC's apparently too dumb to get jokes,
probably due to living in a country with a poor education system...

I recommend that you continue to post as AC for the sake of your reputation

sigh

Re:Keep an eye out for Unlocked Phones

[Plumpaquatsch]

AC's apparently too dumb to get jokes, probably due to living in a country with a poor education system...

I recommend that you continue to post as AC for the sake of your reputation

sigh

Wait, the "joke" was that somebody only pretended to be uneducated, and to an American being uneducated is funny. Yeah, that explains a lot.

Re:Tipped off?

[hackwrench]

Which could have been just after they were tipped off rhat they were going to be leaked.

Re:Key word: Many

[BronsCon]

They weren't patched before they were known because they weren't yet known. They haven't all been patched yet because they've only been known for a handful of days and patches don't write themselves just because you know about the vulnerabilities. Patching any non-trivial issue without introducing other non-trivial issues takes time.

Re: Nope

[BronsCon]

Assuming the safe was cracked, and not destructively broken into, such detection is not reliable. Crack the safe, extract the contents, copy the data, replace the contents, re-lock the safe, and turn the dial back to its original position.

It might not be the simplest of operations for some safes but, again, it's trivial in comparison to cracking decent encryption. If you can crack the encryption, the safe will barely slow you down; if you can't, then I don't care if you have a copy of the encrypted data. The safe is pointless.

Re:Key word: Many

[hackwrench]

So why was the timing between when they became known to Apple and when they were revealed to the wider audience in such a manner so short? I believe in coincidence;, coincidences happen every day. I just don't trust coincidences.

Re:Key word: Many

[BronsCon]

It's quite possible that someone within WikiLeaks disclosed them privately before disclosing them publicly. That would have been the responsible thing to do.

It's also possible that the CIA leaked the documents themselves after a number of the vulnerabilities had already been discovered. I find this less likely, as there were many vulnerabilities disclosed which have not yet been patched.

Those, of course, are only two possibilities; both of which are pure speculation.

That said, Apple has known about the gaping hole that is hot code pushing for years now and only decided to enforce their already existing rules against it very recently, so it could also be complete incompetence on the part of the vendor.

At any rate, when we've seen that products from all vendors are equally vulnerable, does it really matter who we buy from? I'd say it does not and there's no point in arguing that one is more secure than another now that we've been shown that this simply is not the case.

The difference

[SuperKendall]

Apple is actually capable of making things relatively secure and makes choices that are unpopular but increase security (walled garden, deep restrictions on app access to platform, signing Mac apps required by default). They are looking out for people who truly cannot and will not understand security around technical devices.

Samsung meanwhile may talk a good security game, but they put out truly half-assed effort with a billion exploit channels. How about TV's that can record audio and have full android installations to exploit? They put zero thought in how to handle the security implications of this system (to be fair, Amazon and Google are not far behind with Alexa like devices). Samsung and other companies consider user convenience first and security second - if at all.

As for the rest of your absurd anti-Trump fantasy - Russia expected Hillary to win too. They only reason they gathered so much from the DNC was so that they'd have dirt to hold over on Hillary!

Trump had zero to do with Russian hacks, I would love to hear your frothing rabid explanation for how exactly Russia "hacked the election". After all, all the hackers every did was show us what Hillary and the rest of teh elite DNC members said and did when people were not looking. Hillary lost because she is even more Hillary than people thought, not because Russia.

Re:The difference

[BronsCon]

Samsung meanwhile may talk a good security game, but they put out truly half-assed effort with a billion exploit channels. How about TV's that can record audio and have full android installations to exploit?

Samsung's phones, at least those with Knox, are DoD approved for government communications. Just sayin'.

Re:The difference

Lol my Anti-trump fantasy is tweeting dumb shit from the oval office every week. That man is his own worst enemy. Trump getting in to office was the accident and we're now in the consequences phase.

At what point did I suggest Russia hacked the election? This isn't about the election. That's your hangup. Your desperate rationalization to prove to yourself that "leftists" are all frothing morons and that that things aren't as bad as they seem.

This is about how team's Trump's squad of losers almost certianly played hanky panky with Russian security services, and how it's going to be one of the elements that brings the administration down. They didn't do it because it's some grand conspiracy. They did it because they're clueless and easily manipulated.

Trump badmouthing the CIA, and the CIA leaks happening at the same time are no coincidence. Trump is listens to his advisers because, when it comes down to it, he's little more than a personality. His advisers are shitting bricks and telling him that the bad ol CIA has it out for him. Russia directs CIA infodump leak to help discredit the CIA.

Russia just wants to wash their hands of the mess and provide plausible deniability. Kicking the CIA while they're down is also a natrual goal considering what the CIA does.

Re:The difference

[Uberbah]

Apple is actually capable of making things relatively secure and makes choices that are unpopular but increase security (walled garden, deep restrictions on app access to platform, signing Mac apps required by default). They are looking out for people who truly cannot and will not understand security around technical devices.

Or, more simply: with Apple, you are the consumer. With Samsung or any other Android manufacturer, the user is the product for Google's advertising and data mining businesses.

Trump had zero to do with Russian hacks, I would love to hear your frothing rabid explanation for how exactly Russia "hacked the election".

The entire Trump/Russia storyline is nothing more than the Birthering of the Democrats: people willing to believe the most pathetic bullshit if it undermines someone from the opposing party they don't like. That was true before this morning, but after this morning's Wikileaks dump - including a tidbit that the CIA can "fake" cyber attacks as coming from Russia - anyone who mindlessly repeats the Trump/Russia conspiracy theory isn't smart enough to handle their live savings, and send it to me, now. I'm a Nigerian prince after all, which means I know how to handle money....

Re:The difference

[thegarbz]

They are looking out for people

They achieve security, but don't pretend for a moment that the above ways of doing it is "looking out for people". They look out for people's wallets, but that's where their interest with people ends.

Walled garden while adding security is no because of security, and the same can be said for your other points.

Re:The difference

[SuperKendall]

Samsung's phones, at least those with Knox, are DoD approved for government communications. Just sayin'.

You mean the same government that just had a giant dump of classified NSA stuff leaked? HMMMMM. They sure do know security!

Re:The difference

[BronsCon]

Considering that what was leaked was, quite literally, primarily a list of vulnerabilities, I'd say they do. Of course, with all these unpatched and in-use vulns, one of them was bound to be used to exfiltrate data. The DoD wouldn't have approved it for classified communications if they had known unpatched vulnerabilities.

That said, Google did recently identify a vuln in the ASLR used by Knox, which Samsung is working on fixing. There's not a whole lot you can do with it on the typical non-rooted Samsung phone, though, as one would require escalated privileges to be able to overwrite kernel or application RAM to inject their malware in the first place.

You forgot one possibility

[hackwrench]

The CIA got wing of the fact that WikiLeaks were going to do the release and tipped off the manufacturers to reduce the amount of anything to see here.

Re:You forgot one possibility

[BronsCon]

I didn't "forget" any possibilities, nor did I fail to list just "one"; there are many, many more than just three possibilities. I plainly stated that I was only providing two possibilities, I never said they were the only two.

Come on, I know you can read and comprehend better than that; I've seen you follow a conversation here before.

Nice bit of speculation, though.

Re:You forgot one possibility

[hackwrench]

I can, but I find it slows me down to getting to some more entertaining stuff. I even have a saying for my and others failure to do so. Learning when to read. I know how to read, just need more practice on learning when to read sometimes, though just because I have skimmed something when someone else expresses a sentiment that I should have paid closer attention doesn't mean that either one of us would have gotten to more entertaining fare had I paid more attention.

Re:You forgot one possibility

[BronsCon]

Did you get to more entertaining fare by skimming my comment, though? It doesn't seem so.

Re:You forgot one possibility

[hackwrench]

I got to stating my possibility faster, which was the entertainment I most wanted to get to at the time.

IF

[hduff]

IF they were deeply committed, they would have fixed them all by now.

Re:IF

[Cute+Fuzzy+Bunny]

If they were deeply committed, well, they wouldn't be able to fix code while in a straight jacket and heavy meds.

If they were really deeply committed, they'd write code without security holes in it.

Re:Extraordinary

[hackwrench]

Fine. I hereby declare all claims ordinary. You're welcome. The point being is, what makes something extraordinary, both in claims and evidence. Investigating and monitoring ordinary people? "Extraordinary!"

Re:Key word: Many

[Cute+Fuzzy+Bunny]

So you're saying we have known knowns, unknown knowns, and known unknowns?

Pointless subject line that I dont need

[Cute+Fuzzy+Bunny]

Isn't it sort of a fact that the security holes haven't even been fully sorted out yet?

Re: Apple are lying

[Cute+Fuzzy+Bunny]

Ok.

Apple doesn't fix known exploit for 3 years:
http://www.cultofmac.com/13261... /got bored and didn't read the other 3 million search hits.

Re:Key word: Many

[BronsCon]

Yeah, more or less. Same as ever.

Re: Apple are lying

[AHuxley]

Another one was 14 mins in
https://www.youtube.com/watch?...

Re:Key word: Many

[tinkerton]

I can think of more possibilities: the zero day bugs were already discovered independently and were already fixed when the CIA leaks were published.
Less likely, Apple had agreed to delay fixing some bugs. More likely , Apple knew there were some zero day bugs the CIA was making use of but did not know which ones, and was not trying to find out.

Re: Nope

[johnsie]

Blackberry is more secure than IOS and always has been. Also, less apps in the ecosystem adds an extra level of security.

Re: Nope

[Wulf2k]

What if I can't crack the encryption but I am capable of slipping in something to log your keystrokes?

That's exactly right

[SuperKendall]

I was just thinking the other day, the insanity of this Russia stuff is just like those idiots that kept claiming Obama was not born in the U.S.

Great comparison.

Re: Nope

[BronsCon]

Then the laptop is still no less secure than the iPhone, to which that can also be done.