Apple Says It Fixed CIA Vulnerabilities Years Ago

Yesterday, WikiLeaks released its latest batch of pilfered CIA material, five documents describing malicious software for taking over Apple MacBooks and iPhones, and wrote in an accompanying post that “the CIA has been infecting the iPhone supply chain of its targets,” prompting concerned readers to wonder if their iPhone or MacBook had been infected on the factory floor. In a statement, Apple says that is almost certainly not the case.

As indicated in the documents, the attack methods described date in some cases back to 2009, when the iPhone line was in its infancy. Apple’s statement, provided to The Intercept and other media outlets, indicates that unless you’re still using a relatively ancient model like the iPhone 3G, your smartphone could not even be hypothetically vulnerable to the specific attacks published by WikiLeaks, and your Mac should be safe if it was made in the last four years.

We have preliminarily assessed the WikiLeaks disclosures from this morning. Based on our initial analysis, the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released. Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013.

Although it’s not uncommon to use an older and increasingly out of date laptop model — phones tend to rollover faster — it’s unlikely that many people anywhere in the world, potential CIA targets or not, are still using the iPhone 3G.

Still, it’s noteworthy that the CIA had success compromising Apple products that were current at the time the documents were published. The iPhone attack was described in January 2009, a full six months before the iPhone 3G was replaced. The attacks on MacBooks were described in documents dated up through 2013, or undated, and describe models current up through the middle of that year. As The Intercept reported in 2015, the CIA has mounted a sustained campaign against Apple products going back to at least 2010.

On Twitter, WikiLeaks described the MacBook attacks as hitting “systemic” vulnerabilities and called Apple’s statement “duplicitous.”

Also in its statement, Apple added a strongly worded note on WikiLeaks’s claim that it would conditionally hand over information about software vulnerabilities to tech companies like Apple, Google, and Microsoft, whose products have been singled out in the CIA documents:

We have not negotiated with WikiLeaks for any information. We have given them instructions to submit any information they wish through our normal process under our standard terms. Thus far, we have not received any information from them that isn’t in the public domain. We are tireless defenders of our users’ security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users.

Apple declined to comment on the WikiLeaks claim that “the CIA has been infecting the iPhone supply chain of its targets.” One document published by WikiLeaks referenced CIA malware whose “install is ideal for supply chain,” but the claim that the supply chain is actually compromised does not appear to be borne out by anything in documents WikiLeaks has published so far. As with its claim earlier this month that the CIA had developed a method to “bypass” encrypted apps like Signal and read their contents, WikiLeaks is stretching the facts beyond what it has published; it remains entirely possible that American spy agencies have infiltrated Apple’s supply chain, but not based on what’s furnished here. Per usual, the documents provided here are deeply interesting, but not worth the concern WikiLeaks generated by its public comments.