Skip to main content

WikiLeaks: CIA Hacks Smartphones To Work Around Encrypted Communications

WikiLeaks published documents purporting to show the CIA's hacking abilities. In with claims that the intelligence agency compromised smart TVs to spy on their owners, among other things, the documents explained how the agency targets smartphones to evade the protections of end-to-end encrypted (E2EE) messaging services like Signal and WhatsApp. But don't panic--the CIA hasn't directly undermined the security measures used by those tools.

E2EE secures information by encrypting it before it ever leaves the device. This protects the messages from man-in-the-middle attacks that intercept communications between a device and an app's servers while also preventing companies from reading the information themselves. It's kind of like speaking into a tin can that's connected to another can by a string; messages are only received by their intended recipients. Nobody else gets anything.

This setup rose to prominence after Edward Snowden revealed National Security Agency (NSA) surveillance programs in 2013. Since then, companies like Facebook, Google, and others have rushed to secure their communications tools. (Even if Google did turn over an E2EE project for Gmail to the public.) Many of these apps use the Signal protocol--which is also used by a service of the same name--to protect their users' messages from prying eyes.

Now the new WikiLeaks documents show that the CIA targets individual smartphones to bypass these protections. To continue the metaphor above, this is like putting a microphone in one of the tin cans so you can hear everything someone says. The string still does its job by making sure communications aren't overheard by anyone else, but because the can has been compromised, the system doesn't offer the same level of security that it did before.

Open Whisper Systems, the nonprofit behind the Signal protocol and service, said in a series of tweets that this could actually be a good sign:

The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption. [...] The story isn't about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what we're doing is working. [...] Ubiquitous e2e encryption is pushing intelligence agencies from undetectable mass surveillance to expensive, high-risk, targeted attacks.

In a sense, the CIA hacking phones to work around E2EE is kind of like someone picking up the device to read all the messages stored on it. (Or, to continue that metaphor from earlier, holding one of the cans to their ear.) It's not up to groups like Open Whisper Systems to prevent that eavesdropping--people have to be careful about how they use their devices, and manufacturers have to make those devices as hard to hack as possible.

It's better to use encrypted messaging services and force intelligence agencies to use targeted surveillance techniques than to be caught in the dragnet surveillance that Snowden revealed four years ago.

  • Dark Lord of Tech
    But secure messaging apps like Signal, WhatsApp, and others have not been compromised.

    Yeah right , they have all the unlocks.
    Reply
  • leoscott
    The spooks are as smart as the unspooks. It's a constant merry-go-round race like copy protection was. You will only stay ahead of the spooks for a while before you have to come up with something new. Add to that the intelligence agencies get the computing superpower years before the rest of us, it's likely that they will be able to do real time decryption for years before we know it unless there is another super-leak. I personally don't mind because I don't do anything that will make worth their effort to look at me. If they do these things to evil people, GREAT.
    Reply
  • WhyAreYou
    Not surprising imo
    Reply
  • JamesSneed
    +1 Balckbird, If they are used with any popularity they already have backdoors / unlocks. They cant tell us they have been compromised since the government has gag orders on that type of information. Due to the gag orders we have to assume they are compromised don't we?
    Reply
  • Dark Lord of Tech
    19398366 said:
    +1 Balckbird, If they are used with any popularity they already have backdoors / unlocks. They cant tell us they have been compromised since the government has gag orders on that type of information. Due to the gag orders we have to assume they are compromised don't we?

    Absolutely , nothing is off the table.
    Reply
  • JamesSneed
    19398307 said:
    The spooks are as smart as the unspooks. It's a constant merry-go-round race like copy protection was. You will only stay ahead of the spooks for a while before you have to come up with something new. Add to that the intelligence agencies get the computing superpower years before the rest of us, it's likely that they will be able to do real time decryption for years before we know it unless there is another super-leak. I personally don't mind because I don't do anything that will make worth their effort to look at me. If they do these things to evil people, GREAT.

    The problem with you thinking if they do this to evil people only is short sighted. All this hacking will get used by "evil" people to exploit us by stealing credit card info, bank info, home addresses to break in our houses etc. I'm a bit concerned about the government using the tactics but I'm more concerned when this falls into the hands of others.

    Reply
  • Dark Lord of Tech
    That's why Amazon and the CIA are buddies.
    Reply
  • Math Geek
    the greatest gathering technique used is not hacking but simply letting the user give all details of their life to a "service" and then simply reading it in real time.

    we give way more info to facebook, google, amazon, apple and so on that the cia would ever have time to put together. they just ask these companies for their file on you and they have a lot to go on. your smartphone is nothing more than a data collection tool for so many companies it's almost stupid. yet we all have one. what little they did not collect before they do now.

    notice in this article it talks about hacking smart tv's. now think of how much more is included with those new google/apple/amazon things you can talk too and get it to do stuff for you. those mics are ALWAYS listening to see if you're talking to it. and all that goes to amazon/google/apple servers to be analayzed. by having one of these in your house you are literally consenting to being monitored 24/7 by anyone and everyone.

    you're phone let's you activate the various siri/cortana "assistants" these also listen 24/7 to not just you but everyone around you. sends that voice data to its servers to be analyzed and stored. so we have literally entered into that 1984 scenario of being watched at all times. the difference is the gov did not set up the network, we did. the gov is just tapping into these opportunities to share in the surveillance done on us by all the companies we volunteer to give over all our life's info to. we volunteer for this constant surveillance under the guise of it being a "service" or being able to stay up to date with friends and families. it will never go away since folks are unwilling to stop posting their whole life on facebook and the 20 others things that exist to spam your friends and family with all your nonsense thoughts and pics.

    can't blame the gov for taking advantage of this opportunity, but i don't have to like it.
    Reply
  • mac_angel
    I know a lot of people get all pissy about their privacy being invaded and stuff, but personally, I just don't care. To me it's like people bitching about pineapple on pizza. Doesn't affect me one way or the other. I'm not doing anything wrong. If the government wants to check out my dick pics I send to my gf, have at it.
    Reply
  • jaber2
    The cure for this is information overload
    Reply