The Central Intelligence Agency was implicated this week in a clandestine effort to defeat encryption on phones, laptops, smart TVs, and even connected cars. Among the startling revelations was the agency’s hoarding of zero day exploits — unpatched bugs — that could grant intelligence agents access to encrypted iPhones. But there may be less cause for alarm than the leaked documents led many publications to believe.
One Wednesday, a spokesperson for Apple told members of the press that a number of security loopholes were closed in the latest version of iOS, the iPhone’s operating system.
“Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system,” an Apple spokesperson told Motherboard. “While our initial analysis indicates that many of the issues leaked were patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities.”
Wikileaks, which published internal CIA documents earlier this week, didn’t distribute any of the exploits. But leaked spreadsheets detailed several of the methods circulated among the world’s top intelligence agencies, including the CIA, FBI, and GCHQ, the U.K.’s electronics intelligence agency.
Earth/Eve was an exploit purchased by the NSA and later shared with the CIA. GCHQ discovered a critical zero day code named Nandao. The CIA uncovered a bug that allowed agents to remotely control a targeted device. And the FBI’s Remote Operations Unit, one of the Bureau’s hacking divisions, discovered an iOS 7 hack.
Other attacks were mentioned in a user guide for “MCNUGGET,” a tool that breaks encryption on iOS 8.0-8.1.3 devices. Another user guide referenced “DRBOOM,” a script that lets an attacker with physical access to an iOS 7-8.2 device install persistent malware. And still other documents listed exploits that have been publicly disclosed, including one by Chinese jailbreaking team Pangu and iOS security researcher Stefan Esser.
In all, the documents named 14 separate exploits and attacks.
Just because Apple has patched a few of iOS’s vulnerabilities doesn’t mean your phone is now safe from prying eyes. The CIA has reportedly broken the security of popular chat apps like WhatsApp, Signal, Telegram, Weibo, and others by intercepting messages and photos before they could be encrypted. And Android phones aren’t immune — according to Wikileaks, the CIA had 24 weaponized Android “zero day” software programs by the end of 2016.
Still, updating your iPhone to the latest software version will reduce some potential vulnerability, at the very least.