Cloud Hosting

Slide: 1 / of 1. Caption: WIRED

Of all the revelations to come out of the 9,000-page data dump of CIA hacking tools, one of the most explosive is the possibility that the spy agency can compromise Signal, WhatsApp, and other encrypted chat apps. If you use those apps, lets be perfectly clear: Nothing in the WikiLeaks docs says the CIA can do that.

A close reading of the descriptions of mobile hacking outlined in the documents released by WikiLeaks shows that the CIA has not yet cracked those invaluable encryption tools. That has done little to prevent confusion on the matter, something WikiLeaks itself contributed to with a carelessly worded tweet:

The end-to-end encryption protocols underpinning theseprivate messaging apps protect all communications as they pass between devices. No one, not even the companies providing the service, can read or see that data while it is in transit. Nothing in the CIA leak disputes that. The underlying software remains every bitas trustworthy nowas it was before WikiLeaks released the documents.

Of course, the CIA can compromise the devices sending or receiving those messages. By taking control of a so-called end point, spies can access everything on a smartphone, be it texts, videos, the camera, or the microphone. It isnt about defeating encryption, despite the hype, says Nicholas Weaver, a computer security researcher at the International Computer Science Institute. If you compromise a targets phone, you dont care about encryption anymore.

Its an important distinction. More than a billion people use Signal and WhatsApp, both of which use Open Whisper Systems Signal Protocol to protect communications. Other end-to-end encrypted apps, like Confide, have also seen a recent uptick in popularity. The people who use these apps rely on that rock-solid security to facilitatesensitive discussions, avoid oppressive regimes, communicate withjournalists, and more. Undermining trust in those tools creates the impression that vulnerable people have nowhere to turn. This is not true. They absolutely do.

The CIA/WikiLeaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption, said Open Whisper Systems in a response on Twitter. The story isnt about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what were doing is working.

The only people who may need to worry are those who might be the target of a total-device takeover, an exploit largely limited to nation-state actors. At that point, youve got farbigger concernsthan end-to-end encrypted chat. That Signal and WhatsApp are still viable also doesnt lessen the broader implications of the CIAs secrets being in the wild.

Specifically, users of encrypted comms programs arent targeted, but everyone is made less safe, says Malwarebytes security researcher Jean-Phillipe Taggart.

Fortunately, WikiLeaksclarified what it meant. After all, it values the ability to keep secrets as well as anyone.

This story has been updated to include a comment from Jean-Phillipe Taggart.

Continue reading here:
Don't Let WikiLeaks Scare You Off of Signal and Other Encrypted Chat Apps - WIRED