Lessons from CIA hacking leak: How to keep data secure
(Bloomberg) -- Thousands of leaked secret Central Intelligence Agency documents showing how the group hacked into phones, computers and internet-connected televisions erupted Tuesday with the look of another bombshell exposé of government spying run amok.
But for ordinary consumers, there was a surprising - and reassuring - takeaway: encryption apps on smartphones, such as Signal and Facebook Inc.’s WhatsApp were the big winners of the day because the documents show they still present big problems for government hackers and are the best bet for keeping intruders out of your phone calls and texts.
The “Vault 7” data dump by WikiLeaks was just the latest in a long line of embarrassing disclosures for the intelligence community from the anti-secrecy website, which the U.S. has cited as working with alleged Russian government hackers in tampering with the 2016 presidential election. The documents describe the CIA’s efforts to hack mobile phones and even “smart TVs,” using computer exploits they bought or developed, and stealing techniques and code from other nation-state hackers such as Russia and China to hide their tracks.
Some security professionals quickly derided the materials as outdated, and questioned the timing, as it could be seen as helping distract from mounting problems for the Trump administration in addressing ties to Russia.
“The only interesting story is ‘why’ not ‘what,’ a prominent security researcher who goes by the handle ‘the grugq’ wrote on Twitter, calling the actual contents of the leak ‘lame.’
For normal computer and mobile phone users, however, there is a valuable lesson in what wasn’t in there. Some security professionals said the leak offered proof that activists and technologists were actually making it harder for government agencies to conduct mass surveillance, forcing intelligence operators to rely instead on the expensive and time-consuming task of hacking people’s phones one by one.
“The CIA/WikiLeaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption,” Open Whisper Systems, the organization that makes Signal and whose technology underpins WhatsApp’s encryption, wrote on Twitter. “The story isn’t about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what we’re doing is working. Ubiquitous [end-to-end] encryption is pushing intelligence agencies from undetectable mass surveillance to expensive, high-risk, targeted attacks.”
The episode offers some basic lessons for people who are concerned about government surveillance of their devices:
1. The “endpoint” is everything. If an attacker can install spyware onto your mobile phone, or laptop, or even television set, it’s game over for privacy. No amount of encryption will help secure your conversations. This approach requires personally tailored attacks, though, so most people won’t be affected. And in the CIA’s case, many of its tools appear to reflect the organization’s focus on human intelligence, which involves people physically installing malware versus implanting it remotely, which reduces the potential for attack even more.
2. Mobile devices are, unsurprisingly, a huge area of interest for intelligence agencies. But hackers choose the path of least resistance. As a result, most people will want to worry more about a phishing email or text leading to a malicious website as the source of an infection, rather than encountering a top-of-the-line government “zero day” exploit. The best advice has become cliché: Your vulnerability goes way down if you don’t click on suspicious links.
3. Encryption matters. Apps such as Signal and WhatsApp are not a panacea against hacking, but they make an attacker’s job harder. Whereas ordinary phone calls and texts travel over mobile networks “in the clear,” encryption scrambles the information.
4. If you’re a target of government hacking, you may want to rethink any Internet-of-things-type devices you have around the house. From Amazon’s Echo to smart TVs, any device with an internet connection can be programmed to secretly record conversations and beam the data.