WikiLeaks will not help tech companies fix CIA exploits unless they meet certain demands - report

WikiLeaks founder Julian Assange offered to help tech firms fix suspected security flaws in their products.

Top five revelations from Wikileaks' 'Vault 7'Vincent Balestriere

WikiLeaks' offer to give technology companies exclusive access to CIA hacking tools to help them fix suspected security vulnerabilities in their products reportedly comes with a few strings attached.

Last week, the whistle-blowing site published thousands of documents detailing the CIA's expansive abilities and tools used to snoop on various devices including phones, computers and Internet-connected televisions.

The first in a series of "Vault 7" leaks included 8,761 documents and files that described some of the CIA's hacking capabilities and cyberweapons including "zero-day" exploits, trojans, viruses and malware control systems.

Advertisement

Assange said some tech firms did reach out to WikiLeaks shortly after the leak asking for detailed information about vulnerabilities in their products.

"Considering what we think is the best way to proceed and hearing these calls from some of the manufacturers, we have decided to work with them to give them some exclusive access to the additional technical details that we have so that the fixes can be developed and pushed out, so people can be secure," Assange said during a live-stream on Thursday.

Tech companies, however, seemed to be reluctant to respond to Assange's offer.

Motherboard reports that WikiLeaks sent an email to all the tech companies featured in the documents, including Apple, Google and Microsoft, that included a series of demands to be met before releasing any information.

Citing multiple sources familiar with the matter, the publication reports that email included a document with multiple demands that the companies must sign to receive the technical information and details about the CIA exploits. The conditions included in the document are still unknown. However, one source told Motherboard that it included a 90-day disclosure deadline which would require the companies to patch the vulnerabilities within three months.

Microsoft confirmed to the publication that WikiLeaks did make "initial contact" with the company via secure@microsoft.com. Both Apple and Google have previously said that many of the vulnerabilities mentioned in the documents have been patched and will work to continue to identify and fix any other exploits.

"WikiLeaks and the government hold all the cards here, there's not much the tech companies can do on their own besides rabidly looking through their code to look for any issues that might be related," a source told Motherboard.

Advertisement
WikiLeaks promise to work with tech companies and share exclusive technical details about vulnerabilities reportedly comes with a few strings attached.Leon Neal/AFP/Getty Images

In a statement to Motherboard, a CIA spokesperson said the agency has "no comment on the authenticity of purported intelligence documents released by Wikileaks or on the status of any investigation into the source of the documents." The agency also added that "Julian Assange is not exactly a bastion of truth and integrity."

Security expert Graham Cluley said that although technology firms with unpatched software and hardware vulnerabilities should not be allowed to "treat it as anything less than serious," he does feel uncomfortable when an outside makes "determinations of how hard a problem should take to fix."

"[I] want to feel confident that bugs are patched properly and that fixes do not themselves introduce more problems than the problem they are trying to address," Cluley wrote. "Who is Julian Assange qualified to say that 90 days is enough?

"There are ways of putting pressure on technology firms to fix bugs, and highlight if you think they are taking too long, without dangling a sword of Damocles over their heads if flaws are not fixed on your own determined schedule."

Advertisement

WikiLeaks tweeted on Saturday that it has already exchanged letters with Mozilla and has informed the company of some vulnerabilities. Google and other tech companies, however, have yet to respond, the outfit said.

Assange claimed many companies are delaying because of "conflicts of interest due to their classified work for US government agencies."

"Should such companies choose to not secure their users against CIA or NSA attacks, users may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts," Assange said. "Should these companies continue to drag their feet, we will create a league table comparing company responsiveness and government entanglements so users can decide for themselves.

"We will have more to say about this issue next week."

© Copyright 2017 IBTimes Co., Ltd. All Rights Reserved.