Google reassures Chrome and Android users that CIA’s hacking tools don’t affect them.
Your Android phone running Chrome should be safe from the CIA.
Image: Nicole Cozma/CNET
Chrome and Android users should be protected from most of the CIA’s alleged hacking tools referenced in the WikiLeaks release, according to Google.
Among the more than 8,000 documents published by WikiLeaks yesterday were details of CIA tools to exploit flaws in Chrome and Android, along with tools for hacking iOS, Windows, and macOS.
The documents contained hacking techniques the CIA used between 2013 and 2016, including 24 exploits for Android. These were developed by GCHQ and the NSA, bought from contractors, or publicly available.
Google says it’s confident Android and Chrome users should be protected from many of the exploits, thanks to security updates and defenses it’s released for each platform, which include patching and built-in security features that reduce the reliability of exploits.
“As we’ve reviewed the documents, we’re confident that security updates and protections in both Chrome and Android already shield users from many of these alleged vulnerabilities,” Heather Adkins, Google’s director of information security and privacy said in a statement to ZDNet.
“Our analysis is ongoing and we will implement any further necessary protections. We’ve always made security a top priority and we continue to invest in our defenses.”
Apple released a similar statement yesterday, highlighting its track record for ensuring the majority of iPhones have the latest version of iOS. It said “many of the issues leaked were already patched in the latest iOS”.
Firefox maker Mozilla criticized the CIA and WikiLeaks for undermining the security of the internet.
“The CIA seems to be stockpiling vulnerabilities, and Wikileaks seems to be using that trove for shock value rather than coordinating disclosure to the affected companies to give them a chance to fix it and protect users,” Mozilla’s Heather West said.
The Electronic Frontier Foundation yesterday accused the CIA of not following the US Government’s Vulnerabilities Equities Process, which is meant to guide whether an agency should keep a flaw alive and secret, or disclose it and kill it.
Not everyone agrees that the CIA or NSA are “stockpiling” vulnerabilities for future use rather than disclosing it to the vendor.
“That’s not what the NSA/CIA does. They buy 0days to use, now. They’ve got budgets and efficiency ratings. They don’t buy 0days which they can’t use in the near future,” wrote Robert Graham, CEO of security firm ErrataSec.
RAND Corporation today released a detailed report on the market for zero-day exploits that analyzed 200 zero-day exploits affecting software from 64 vendors, including Apple, Microsoft, Oracle, Adobe, Google, Citrix, LinkSys, CryptoCat, and others.
The study found the average life expectancy of an exploit was 6.9 years after initial discovery. The bug’s life ends when someone else finds the bug and it is patched by the vendor.
“The relatively long life expectancy of 6.9 years means that zero-day vulnerabilities — in particular the ones that exploits are created for gray, or government, market use — are likely old,” the report notes.
However, it also found that vulnerabilities bought by third parties had an average lifespan of 1.4 years
According to RAND’s study, within one year 5.7 percent of a given stockpile of zero-day vulnerabilities will have been discovered by an outsider, resulting in a “collision”.
RAND uses these figures to frame the question over whether government agencies should stockpile vulnerabilities and the impact on users’ safety if the bug is killed through disclosure.
It’s analysis found that zero-day vulnerabilities have long average lifetimes and low collision rates.
“If another vulnerability usually exists, then the level of protection consumers gain from a researcher disclosing a vulnerability may be seen as modest, and some may conclude that stockpiling zero-days may be a reasonable option. If zero-day vulnerabilities are very hard to find, then the small probability that others will find the same vulnerability may also support the argument to retain a stockpile.”
However there remains a risk that an adversary may stumble on the same zero-day with the potentially severe consequences of leaving users vulnerable to attack.
“In this line of thought, the best decision may be to stockpile only if one is confident that no one else will find the zero-day; disclose otherwise,” it said.
Once a vulnerability has been found, researchers took on average 22 days to develop a full functioning exploit, with most taking between six and 37 days to become fully functional, the study found.