Apple iOS 10.2.1 protects users from Weeping Angel

Most iOS devices are protected against the CIA's alleged Weeping Angel attacks revealed by WikiLeaks last night, Apple has claimed.

In a statement sent to IT Pro, the Cupertino company said: "The technology built into today's iPhone represents the best data security available to consumers, and we're constantly working to keep it that way.

"While our initial analysis indicates that many of the issues leaked were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates."

What proportion of the issues "many" represents is unclear.

Microsoft and Samsung both said they are currently "looking into" the matter, but gave no further information on the current scope or validity of the attacks detailed in the so-called Vault 7 cache.

No surprises

While hardware makers rush to investigate and patch the alleged vulnerabilities, the security community has raised an eyebrow at the surprise the leaks have generated with regard to the vulnerabilities themselves.

Slawek Ligier, VP of security engineering at Barracuda, said: "The types of capabilities described in the WikiLeaks [files] are not new and many of the exploits were demonstrated as technically possible for a while now."

Matthew Ravden, VP at security systems specialist Balabit, added: "Assuming these revelations are true (and they certainly appear to be authentic), it's probably fairly shocking to the general public to see the lengths to which a sophisticated government-sponsored organisation will go to find ways of 'listening in', through TVs, smart-phones or other 'connected' devices.

"For those of us in the security industry, however, none of this is particularly surprising. The resources available to the CIA, MI5, or the FSB are such that they can do pretty much anything. They live by a different set of rules from the rest of us."

Fake news and questionable morals

Although it has been reported that the the Vault 7 files show the CIA can break the encryption of secure apps like WhatsApp, Signal and Telegram, this is based on a misunderstanding of the content of the leaks.

Ed Johnson-Williams, a campaigner for the Open Rights Group, said in a blog post: Some journalists ... have reported this story as showing that the CIA can bypass the encryption on messaging apps like Signal and WhatsApp. This is emphatically not accurate. The apps themselves are secure. They are probably uncritically repeating a WikiLeaks tweet to that effect.

"There is a big difference between phone operating systems being hacked and message encryption being broken. If a messaging app's encryption has been broken, that would affect every user of the app. The encryption in Signal and WhatsApp has not been broken ... [they] remain very good ways to communicate when using a mobile phone for nearly everyone. The worst thing to do would be to throw our hands up in the air and give up on our digital security."

Johnson-Williams pointed out that if the CIA and other intelligence agencies "hoard" these vulnerabilities, then they are also open to use by criminals and the intelligence agencies of non-friendly countries.

Ligier sounded a similar note, saying: "To me the disturbing part of the report is that it appears that spy agencies ... are more interested in stockpiling the vulnerabilities for a future exploit rather than working with vendors to close the gaps. If the CIA knows of the specific exploit, chances are that the MI6, FSB, MSS, and Mossad are aware of it as well.

"Not working on closing the gap and hoping that we will be the only ones able to exploit it, puts all of us at risk. And frankly, the United States has much more to lose through potential industrial espionage than other countries."

Digital personal safety

Although the encryption of WhatsApp, Signal and Telegram hasn't been broken, devices themselves remain vulnerable. There are still ways consumers can keep themselves safe or at least safer from hacking of all types.

Johnson-Williams said: "From a personal security point-of-view it's important to keep all of this in perspective. Most people are at far greater risk of their devices being infected from clicking a link in a phishing email than they are of being hacked by the CIA using a vulnerability in their device."

Similarly, Ligier said that while there's no way to stop devices being turned into "little spies", the risks can be mitigated.

Reflecting Apple's comment, he said users should always update to the latest firmware and software "especially if the update lists security fixes". He also warned against rooting or jailbreaking phones, as well as being careful when opening email attachments or clicking on links as "more than 90% of attacks start with the email".

"We all need to work together to protect the advantages the global internet offers to all of us and assure that the dark side does not win," he said.

Image credit: Bigstock

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.