The real lesson of WikiLeaks' massive CIA document dump — encryption works
WikiLeaks’ posting Tuesday of a gigantic trove of CIA documents shows one thing: Our communications are increasingly secure.
You, however, may have seen a different distillation of this data dump in headlines warning the CIA could have been spying on you through your phone, tablet and even TV all along.
But that take gets this story wrong. And we need to get it right to understand a debate we keep coming back to: Should developers of encrypted devices and apps provide special access to law-enforcement agencies?
Your TV is a target… if the CIA is in your home
WikiLeaks announced Tuesday that it had posted 8,761 documents from a CIA facility in Langley, Va. — the first in a series of planned disclosures of the agency’s activities that the group calls “Vault 7.” This batch focused on the CIA’s ability to conduct surveillance by hacking devices and apps, something WikiLeaks chose to highlight by playing up the scare factor of the CIA or the United Kingdom’s MI5 intelligence agency hacking into your smart TV to turn it into a clandestine listening device.
That’s the goal of a CIA program, code-named “Weeping Angel,” that targeted some Samsung smart TVs to listen in on people. WikiLeaks — the secretive group founded by Julian Assange to post government documents — called “Weeping Angel” the “most emblematic realization” of the endless surveillance described in George Orwell’s book “1984.”
Much first-round coverage — for instance, a New York Daily News front page, inspired by the movie “Poltergeist,” that had a headline screaming “THEY HEE-EAR” — obligingly focused on that angle without providing an important bit of context.
That would be the detail that “Weeping Angel” apparently requires somebody to plug a USB flash drive into the TV in question to load this malware. And the CIA document posted by WikiLeaks observes that “Firmware version 1118+ eliminated the current USB installation method,” so it no longer works on an updated set anyway.
If somebody from the CIA can sneak into your house and pop a flash drive into your TV, you have many larger problems. The CIA agent, meanwhile, might find it more efficient to hide traditional listening bugs throughout your house instead of limiting her attention to your TV.
Aging Android and iOS attacks
The CIA’s attempts to crack smartphones, meanwhile, all appear to target old versions of iOS and Android.
For example, a table of iOS exploits doesn’t list any versions of that Apple (AAPL) operating system newer than 9.2. The current release is iOS 10, and it’s already on 79% of devices. The 24 Android exploits listed, meanwhile, don’t specify a version newer than 4.4.4, far behind the current 7.1.1 release of the Google (GOOG, GOOGL) operating system—although an embarrassingly high 33.4% of Android devices run versions as old as 4.4.4.
Both Google and Apple have said they’ve closed most of these holes, many of which also require physical access to a phone. In a Thursday video appearance, WikiLeaks founder Julian Assange said the group would share data on the other vulnerabilities with companies affected.
President Donald Trump’s own Android phone — photos suggest it’s a 2012 Galaxy S3 — may be among the more exposed devices, owing to its Android software seeing its last update in 2015. That and the sight of WikiLeaks targeting the CIA instead of his political opponents may explain why the man who in October tweeted a compliment for the “incredible information provided by WikiLeaks” now seems much less fond of the group.
Summed up security analyst Robert Graham in a post unpacking the Vault 7 news: “Most of this dump is child’s play, simply malware/trojans cobbled together from bits found on the internet.”
The lesson of device hacking: Encryption works
WikiLeaks says it’s only posted about 1% of the total Vault 7 info, so it’s possible that scarier stuff lurks in this file. And other details, like the disclosure of CIA efforts to hack wireless routers remotely, point to lingering security problems that the tech industry needs to address before it connects every computerized device to the internet.
But we can draw one conclusion from the revelations available now: Encryption works. Otherwise intelligence agencies would not work so hard to compromise individual devices.
That’s an easy thing to overlook in, for example, a tweet from WikiLeaks suggesting that these exploits allow the CIA to defeat such encrypted communications apps as Signal or WhatsApp. Yes, they could allow the CIA to take over a phone and thereby log a user’s speech and touchscreen interactions — but a CIA technician could also bypass Signal’s encryption by looking over a Signal user’s shoulder.
But without that compromise of an individual phone, the CIA can’t snoop on a Signal chat.
The alternative to hacking into specific devices is to require manufacturers and developers to keep extra keys for cops. That was the focus of last year’s dispute between Apple and the FBI over unlocking an iPhone 5 used by one of the San Bernardino shooters: The Feds wanted Apple to write software that would defeat the lock on any iPhone 5, but Apple resisted and the FBI eventually paid a third party to hack into that particular device.
FBI director James Comey offered a reminder of that in a speech Wednesday in which he said “there is no such thing as absolute privacy in America” and called on tech firms to provide some way for law enforcement to access a locked device after getting a court order.
The prospect of the three-letter agencies targeting your phone can be scary, not least since they could probably do it. As security expert Bruce Schneier said at a May 2015 event in Washington, when the debate over whether to restrain the National Security Agency’s bulk surveillance was nearing its end: ”If the NSA wanted to be in my computer, they’d be in it.”
But, Schneier noted, that must be seen as a desirable outcome of encryption systems operating as designed: “They make bulk collection infeasible and force the listeners to target.”
More from Rob:
5G data is coming, and it will supercharge your internet connection
What you should and shouldn’t worry about in Android security
Study finds most people are scarred of being hacked, but don’t do much about it
Email Rob at [email protected]; follow him on Twitter at @robpegoraro.