WikiLeaks’s CIA hacking trove doesn’t live up to the hype
For most people, secure message apps are just as secure as we thought
What, exactly, did WikiLeaks reveal yesterday in its new trove of purported Central Intelligence Agency documents? As is standard practice for the online clearinghouse of former (and mostly American) secrets, the claim was bold and up-front: “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo [sic], Confide and Cloackman [sic] by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.”
Those apps (with the exception of Weibo) are made for keeping secrets. Surely, if the spooks at the CIA could get around those apps’s safeguards, then the privacy of millions of activists, dissidents, journalists, and everyday people who prefer secure communications would be in jeopardy. Right? After all that threat was at the center of former NSA contractor Edward Snowden’s revelations in 2013: a vast wealth of data about individuals, Hoovered en masse, indiscriminately. No one was safe.
Except what WikiLeaks released yesterday doesn’t indicate a broad abuse of power.
Both The New York Times and The Wall Street Journal repeated WikiLeaks claim mostly verbatim. That framing shaped their initial stories, as Columbia University computer science professor Steve Bellovin highlighted:
Targeted attacks. The CIA is not, as the NSA might, scooping up secure, encrypted communications in transit between people, and then later revealing those conversations. Instead, the CIA is doing what the CIA, as a spy agency focused on collecting intelligence from individuals, does: looking for a way into a specific person’s phone. Then, once it’s in that phone, it is bypassing the encryption and recording data and audio transmitted to the device.
The fact is most encryption apps, for most purposes, work. We tend to think of security as a binary function: the door is locked or it isn’t. Same with messages sent on an encrypted messaging service: they are either locked or not. But that’s misleading. Your locked front door keeps casual intruders and pranksters out; which is enough for most of us, most of the time. But the truth is, it won’t stop a determined burglar with tools, and it won’t stop a cop with a warrant. Most of us aren’t targeted and never will be (sorry self-important tech reporters). So communicating with encrypted messaging services means that our messages likely (highly likely) won’t ever be seen by anyone except the person who unlocks them at the other end of our communication chain.
What the WikiLeaks trove shows shouldn’t surprise anyone: the CIA has a way to get into some phones, some of the time, in the process of looking for information from a specific individual.
“First, this appears to be about tools that target selected end users by compromising their phones, not that break the crypto generally,” Matt Blaze, a security researcher and computer science professor at the University of Pennsylvania, noted on Twitter. He continued:
Apps (like Signal) depend not only on their own code for security, but on the platforms they run on (like iOS or Android). (3/)— matt blaze (@mattblaze) March 7, 2017
A weakness in EITHER the app itself OR the platform may be sufficient for an adversary to target a user and get their messages. (4/)— matt blaze (@mattblaze) March 7, 2017
So the average person, one who isn’t specifically targeted by the CIA, is likely to be fine using Signal and WhatsApp on their phones to communicate securely. As Signal maker Open Whisper Systems said on Twitter.
The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.— Signal (@signalapp) March 7, 2017
Encryption stills defeat passive surveillance—like when the NSA collects your communications as they’re sent—provided both sender and receiver are using end-to-end encryption apps on uncompromised phones. A crafty spy agency (and you’d both expect and want this of your nation’s sworn protectors—as long as they only spy on the bad guys) can bypass that encryption.
“This information leak is a revelation of something we all knew: the CIA has 0-days (high-impact, previously undisclosed exploits) and purchases exploits from a number of researchers both in and out of the US in order to surveil individual devices,” write hacker Tarah Wheeler and security researcher Sandy Clark. Their co-authored post, which I encourage anyone interested to read in full, details a couple important findings from this document dump. One: most of the effort seems to be on compromising iOS devices, either because it’s relatively easy to compromise an Android device or because targets of interest are more likely to use high-end Apple devices. And then there’s the other, bigger point about encryption, which we’ve seen echoed above:
The new Wiki trove has triggered a lot of salivating (there’s probably not a dry tongue in the Kremlin, which some consider to be behind the data dump). And while not Snowden-sized, the dump remains vast. Sure, there are probably revelations to come. Some of them could undermine counter-terrorism efforts. Yet, it’s nearly impossible that all 8,761 documents and files in the new bundle will reveal deeply sensitive intel. In fact, some of the documents themselves seem frivolous.
Revealed in the trove is the CIA’s own database of Japanese-style emoticon faces. Why, exactly, did the CIA have an emoticon library? It could be some new Cold War code. Or it could be in-house goofing at Langley.
Like many other questions from the leak, the answer remains ¯_(⊙︿⊙)_/¯