WikiLeaks's CIA hacking trove doesn't live up to the hype

For most people, secure message apps are just as secure as we thought

A Hacker Infiltrating A Computer

Data Miner

An artistic representation of hacking (Insert tiny CIA agent here).The Preiser Project, via Flickr CC BY 2.0

What, exactly, did WikiLeaks reveal yesterday in its new trove of purported Central Intelligence Agency documents? As is standard practice for the online clearinghouse of former (and mostly American) secrets, the claim was bold and up-front: "These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo [sic], Confide and Cloackman [sic] by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied."

Those apps (with the exception of Weibo) are made for keeping secrets. Surely, if the spooks at the CIA could get around those apps's safeguards, then the privacy of millions of activists, dissidents, journalists, and everyday people who prefer secure communications would be in jeopardy. Right? After all that threat was at the center of former NSA contractor Edward Snowden's revelations in 2013: a vast wealth of data about individuals, Hoovered en masse, indiscriminately. No one was safe.

Except what WikiLeaks released yesterday doesn’t indicate a broad abuse of power.

Both The New York Times and The Wall Street Journal repeated WikiLeaks claim mostly verbatim. That framing shaped their initial stories, as Columbia University computer science professor Steve Bellovin highlighted:

Both [the New York Times and the Wall Street Journal] uncritically accepted the premise: that there's something wrong with these encryption apps. Nothing could be farther from the truth. Rather, the existence of these hacking tools is a testimonial to the strength of the encryption. It's hard or impossible to break, so the CIA is resorting to expensive, targeted attacks.

Targeted attacks. The CIA is not, as the NSA might, scooping up secure, encrypted communications in transit between people, and then later revealing those conversations. Instead, the CIA is doing what the CIA, as a spy agency focused on collecting intelligence from individuals, does: looking for a way into a specific person's phone. Then, once it's in that phone, it is bypassing the encryption and recording data and audio transmitted to the device.

The fact is most encryption apps, for most purposes, work. We tend to think of security as a binary function: the door is locked or it isn’t. Same with messages sent on an encrypted messaging service: they are either locked or not. But that's misleading. Your locked front door keeps casual intruders and pranksters out; which is enough for most of us, most of the time. But the truth is, it won’t stop a determined burglar with tools, and it won’t stop a cop with a warrant. Most of us aren't targeted and never will be (sorry self-important tech reporters). So communicating with encrypted messaging services means that our messages likely (highly likely) won’t ever be seen by anyone except the person who unlocks them at the other end of our communication chain.

What the WikiLeaks trove shows shouldn't surprise anyone: the CIA has a way to get into some phones, some of the time, in the process of looking for information from a specific individual.

"First, this appears to be about tools that target selected end users by compromising their phones, not that break the crypto generally," Matt Blaze, a security researcher and computer science professor at the University of Pennsylvania, noted on Twitter. He continued:

So the average person, one who isn’t specifically targeted by the CIA, is likely to be fine using Signal and WhatsApp on their phones to communicate securely. As Signal maker Open Whisper Systems said on Twitter.

Encryption stills defeat passive surveillance—like when the NSA collects your communications as they’re sent—provided both sender and receiver are using end-to-end encryption apps on uncompromised phones. A crafty spy agency (and you'd both expect and want this of your nation's sworn protectors—as long as they only spy on the bad guys) can bypass that encryption.

"This information leak is a revelation of something we all knew: the CIA has 0-days (high-impact, previously undisclosed exploits) and purchases exploits from a number of researchers both in and out of the US in order to surveil individual devices," write hacker Tarah Wheeler and security researcher Sandy Clark. Their co-authored post, which I encourage anyone interested to read in full, details a couple important findings from this document dump. One: most of the effort seems to be on compromising iOS devices, either because it's relatively easy to compromise an Android device or because targets of interest are more likely to use high-end Apple devices. And then there's the other, bigger point about encryption, which we've seen echoed above:

The level of expense it takes for a single CIA agent to monitor someone’s device and spend weeks cracking it is prohibitive across millions of users, and that’s why encryption exists: not to make surveillance impossible, but so costly that there’s not enough resources to monitor everyone.

The new Wiki trove has triggered a lot of salivating (there's probably not a dry tongue in the Kremlin, which some consider to be behind the data dump). And while not Snowden-sized, the dump remains vast. Sure, there are probably revelations to come. Some of them could undermine counter-terrorism efforts. Yet, it's nearly impossible that all 8,761 documents and files in the new bundle will reveal deeply sensitive intel. In fact, some of the documents themselves seem frivolous.

Revealed in the trove is the CIA's own database of Japanese-style emoticon faces. Why, exactly, did the CIA have an emoticon library? It could be some new Cold War code. Or it could be in-house goofing at Langley.

Like many other questions from the leak, the answer remains ¯_(⊙︿⊙)_/¯