WikiLeaks published documents purporting to show the CIA's hacking abilities. In with claims that the intelligence agency compromised smart TVs to spy on their owners, among other things, the documents explained how the agency targets smartphones to evade the protections of end-to-end encrypted (E2EE) messaging services like Signal and WhatsApp. But don't panic--the CIA hasn't directly undermined the security measures used by those tools.
E2EE secures information by encrypting it before it ever leaves the device. This protects the messages from man-in-the-middle attacks that intercept communications between a device and an app's servers while also preventing companies from reading the information themselves. It's kind of like speaking into a tin can that's connected to another can by a string; messages are only received by their intended recipients. Nobody else gets anything.
This setup rose to prominence after Edward Snowden revealed National Security Agency (NSA) surveillance programs in 2013. Since then, companies like Facebook, Google, and others have rushed to secure their communications tools. (Even if Google did turn over an E2EE project for Gmail to the public.) Many of these apps use the Signal protocol--which is also used by a service of the same name--to protect their users' messages from prying eyes.
Now the new WikiLeaks documents show that the CIA targets individual smartphones to bypass these protections. To continue the metaphor above, this is like putting a microphone in one of the tin cans so you can hear everything someone says. The string still does its job by making sure communications aren't overheard by anyone else, but because the can has been compromised, the system doesn't offer the same level of security that it did before.
Open Whisper Systems, the nonprofit behind the Signal protocol and service, said in a series of tweets that this could actually be a good sign:
The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption. [...] The story isn't about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what we're doing is working. [...] Ubiquitous e2e encryption is pushing intelligence agencies from undetectable mass surveillance to expensive, high-risk, targeted attacks.
In a sense, the CIA hacking phones to work around E2EE is kind of like someone picking up the device to read all the messages stored on it. (Or, to continue that metaphor from earlier, holding one of the cans to their ear.) It's not up to groups like Open Whisper Systems to prevent that eavesdropping--people have to be careful about how they use their devices, and manufacturers have to make those devices as hard to hack as possible.
It's better to use encrypted messaging services and force intelligence agencies to use targeted surveillance techniques than to be caught in the dragnet surveillance that Snowden revealed four years ago.
