Apple issued a strong statement on Friday after Wikileaks released a handful of documents about Central Intelligence Agency (CIA) malware for iPhones and Macs, saying it was all old material that the Cupertino giant had addressed. But it also issued the toughest statement yet from a tech firm on Wikileaks’ demands about how they address the vulnerabilities it claims to have exposed, saying it hadn’t negotiated with Julian Assange’s organization.
After a preliminary assessment of the Dark Matter release from Thursday morning, Apple said the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released in 2008. “Additionally, our preliminary assessment shows the so-called Mac vulnerabilities were previously fixed in all Macs launched after 2013,” a spokesperson said.
While Google and Microsoft remain quiet on whether they are working with Wikileaks to address issues after it reportedly demanded companies patch within 90 days, Apple was clear on its position. “We have not negotiated with Wikileaks for any information. We have given them instructions to submit any information they wish through our regular process under our standard terms,” the spokesperson added.
“Thus far, we have not received any information from them that isn’t in the public domain. We are tireless defenders of our users’ security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users.”
Wikileaks claims Apple ‘duplicitous.’
Wikileaks wasn’t impressed with Apple’s response. It tweeted that the complaint issues had been fixed was “duplicitous.”
EFI is Extensible Firmware Interface (EFI), Apple’s form of firmware, comparable to the BIOS on other PCs. It’s the core chunk of code from which the Mac OS X operating system boots. If anyone can install malware that sits at the EFI level, they may be able to avoid many security protections in Mac OS X.
The good news for users is that the malware exposed by Assange’s organization were not only old but installable only with physical access. Wikileaks claimed in its press release (and in subsequent tweets) that the Dark Matter version showed the CIA had been attacking “organizational supply chains” where devices are built for at least eight years. But the documents only alluded to possible attacks over a supply chain.
As with the Wikileaks recent claim that encrypted apps like Signal and WhatsApp had been broken by the CIA, it might be wise to take its words with a pinch of salt.