Hysteria around CIA hacking of private technology unfounded

Yes, you should be worried about the Vault 7 leaks, but not for the reasons you think

Individuals and businesses should use encrypted programs and apps such as Signal or WhatsApp. The more that do, the more limited CIA (or National Security Agency) hacking toolkits become. Photograph: Petar Kujundzic/Reuters
Individuals and businesses should use encrypted programs and apps such as Signal or WhatsApp. The more that do, the more limited CIA (or National Security Agency) hacking toolkits become. Photograph: Petar Kujundzic/Reuters

WikiLeaks made a sweepingly dramatic – and sometimes misleading – announcement following the release of a massive tranche of leaked CIA documents, which it dubbed Vault 7, on Tuesday.

The CIA, it said, can break the encrypted apps on your mobiles phones, including WhatsApp and Signal, control phones’ cameras and microphones, and listen in to your conversations by commandeering your smart TV or car mic. It could also gain control of your PCs and Macs.

The internet then ran around like a headless chicken with lots of ill-informed scary punditry from people who know zilch about technology, security and privacy.

Yes, the information released in the documents, if genuine (and Edward Snowden tweeted that he believed it to be), creates some very serious concerns. And yes, it is an extraordinary, and for the CIA, deeply embarrassing leak – more than 8,000 internal CIA documents from 2016, only part of the entire document dump from 2013 to 2016 that WikiLeaks says is to come.

READ MORE

But as always with such document dumps, there’s a need for nuanced and informed evaluation (for example: http://blog.erratasec.com/2017/03/some-comments-on-wikileaks-ciavault7.html). That takes time, of course.

Nonetheless, two broad points emerged fairly swiftly – unfortunately, generally missed by most in the harum scarum, when people only take in and remember 140-character Twitter shrieks.

First, some of the more alarming claims were swiftly unpicked, and second, we started to get context. So here is what you need to know, in a nutshell.

Encrypted apps

The CIA has not hacked or compromised encrypted apps such as WhatsApp or Signal. What it (and hackers generally) can do – and this was already known – is use malware to get the message before it is encrypted or after it has been unencrypted on an endpoint device, such as your mobile.

This (and other data-gathering exploits mentioned in Vault 7) generally is done using vulnerabilities in the operating system. So, hackers or agents must physically place malware on your device, or surreptitiously get you to open a malware programme – a much harder, time-consuming and targeted task.

The same is true regarding taking control of microphones on certain Samsung smart TVs, even if they are turned off. Doing this is even more difficult, because somebody would have to physically access the TV to insert a USB stick and upload malware.

In addition, the Vault 7 documents show many system vulnerabilities that – good news – are already known and patched. They also give lists of malware programmes being used, many of them also already known. If device operating systems are kept up to date, many of those exploits aren’t going to happen.

But presumably there are other, new or unknown vulnerabilities (along with death and taxes, there will ALWAYS be vulnerabilities) that can and will be exploited to gain access to data, cameras and mics.

Not of interest

The shocking element of the data dump really isn’t that the CIA can and does conduct surveillance via people’s devices. Like it or not, that is state espionage. Nor should you worry that the CIA is doing this at scale and accessing your devices. Almost all of you – hurtful as this may sound – are not of the remotest interest to the CIA. It almost certainly has no desire to invest the cost and time to get into your personal device, TV or car operating system.

What alarms is that Vault 7 documents make clear the CIA has bought – or, it appears, developed – software tools that do these things, thus compromising widely used software and devices from US (and foreign) technology companies.

That has implications for the technology industry and for business generally. Most obvious: the tech sector rightly will be furious that its products are weakened. It also rightly will be asking why it should co-operate to share security and vulnerability information with the agencies, as the US government has been asking it to do, when the agencies are finding, abusing and failing to disclose potentially grave vulnerabilities to industry.

For businesses and individuals (as WikiLeaks rightly noted), any agency hacking tool that can exploit a vulnerability can potentially slip into “the wild” at any time, and be used maliciously by hackers against individuals, customers and businesses.

But the critical takeaway, which unfortunately was lost among some of the sensationalist claims, is that individuals and businesses definitely should use encrypted programs and apps such as Signal or WhatsApp.

Indeed, the more of you that do, the more limited these CIA (or National Security Agency) toolkits become. That’s because the more people that use encryption, the more useless it becomes for surveillance agencies to do bulk data collection of the sort revealed by Edward Snowden, and the more time-consuming and costly it becomes to do surveillance, full stop.

Strong evidence for years now has indicated that fishing expeditions and bulk surveillance are a privacy-compromising, unproductive waste of time and resources.

Broad use of encryption forces surveillance agencies to do what they should be doing – narrowing in on specifically targeted dangerous individuals, organisations and networks. Not spying, pointlessly, on the guiltless.