Earlier this week, WikiLeaks shocked the world by releasing a treasure trove of alleged classified CIA documents that appear to have pulled back the curtain on a startlingly wide range of tools the agency uses to spy on people through their smartphones, computers, smart TVs and even cars. According to the documents, the CIA takes advantage of dozens of dangerous software vulnerabilities in Android, iOS, Windows, macOS, smart TVs, Wi-Fi routers and more, and exploits them in order to spy on device owners.
The documents exposed in this latest leak are still being analyzed by security experts, but users already have plenty of cause for concern at this point. Among them is the apparent fact that hundreds of millions of Android devices are currently exposed to a wide range of security holes. And according to a new report, Google has very few leads as it launches a massive effort to begin patching them.
Earlier this morning, we shared Apple’s official response to the WikiLeaks data dump. In a nutshell, the company says that “many” of the exploits detailed in the CIA files have already been patched. While that may indeed comfort iOS device users to an extent, it of course also means that not all of the vulnerabilities being attacked by the CIA — and, potentially, by other spy agencies and maybe even hackers — have been addressed. This likely leaves millions upon millions of iPhone and iPad users at risk, and they’re not alone.
Forbes on Wednesday morning issued a report stating that Google has begun to scour the 8,000-page WikiLeaks dump in order to determine exactly how to address all of the apparent vulnerabilities that have been exposed. Check Point’s head of mobile security Michael Shaulov spoke to the site, and he says that Google has plenty of work to do if they hope to patch the holes that have been uncovered.
“On Android there are a couple of dozen exploits that they’ll need to manage,” Shaulov told Forbes. The report notes that the vulnerabilities detailed in the WikiLeaks CIA documents appear to only target Android 4.4 and earlier versions, but that still leaves hundreds of millions of users at risk. According to Google’s own Android version distribution data, 33.4% of all active Android devices run Android 4.4 or older versions of Android.
“There’s no starting point for vendors for where they need to patch or what exactly they patch here. From our experience when you do responsible disclosures on Android, even when you try to do it the proper way, it’s very difficult [to disseminate patches],” Shaulov continued. “There’s a 25 percent probability things will go wrong.”
What’s even more troubling is that the expert believes this is only the tip of the iceberg, and that the CIA likely has tools that take advantage of vulnerabilities in newer versions of Android, as well. “Clearly this is fresh information, but it’s probably a snapshot of Q1 or Q2 2016,” Shaulov said.