WikiLeaks posted last week 8,761 documents revealing an arsenal of hacking tools used by the US Central Intelligence Agency (CIA). The ability to turn smart TVs into listening devices, or take remote control of smart cars made the most headlines. However, this was no news for the cybersecurity community, which has been vocal about the weak security of many Internet of Things (IoT) products. In a similar way, the unveiled Android exploits came as no surprise to Secure Group. They are, in fact, the same thing we have been telling users for years.
Lets’ start by outlining a few facts about the CIA leaks:
- The agency stockpiled attacks to hack and control smartphones remotely, taking advantage of zero-day vulnerabilities (unintentional security flaws in software that developers have initially overlooked).
- It also developed malware such as Trojans, viruses. malicious payloads, etc., and made use of security backdoors and exploits.
- The leaks unveil only a toolkit for hacking devices (unlike the Edward Snowden revelations about ongoing mass surveillance programs). These capabilities are the kind of thing that, frankly, you’d expect any self-respecting intelligence agency to have.
- It is unlikely that this arsenal of malware and exploits was used for mass surveillance. The types of attacks appear suited for targeted hacking of particular people or devices.
- The revelations are for practices from the 2013-2016 period. Many of the zero-day vulnerabilities that have been listed have been addressed by manufacturers since then.
What do the CIA leaks mean for encryption?
Long story short, the fact that the CIA has moved to developing malware and exploiting OS vulnerabilities means that encryption works well. We already mentioned Snowden. In 2013, he revealed that the NSA had a number of mass surveillance programs going on and that it had successfully decrypted a lot of Internet traffic, particularly over HTTPS. This to a large extent opened the eyes of the general public to the fact that Internet communications are hardly private. And, in turn, sparked a demand for securing them properly.
Back in 2013, good end-to-end encryption such as OTR or PGP was a property of a few specialized security apps. Fast forward to 2017; it is getting embraced by the likes of WhatsApp, Skype (at least for calls), Facebook Messenger (not by default, but if you use the secret conversations option, yes), and so on. Most people still have a long way to go in terms of awareness about the security aspect of communication technology. But the issue is at least on the table, and things are going in the right direction.
If you are an intelligence agency, though, you might have different ideas about what the right direction is. Your job is, after all, to extract information from places you don’t have access to. The growing popularity of end-to-end encryption is an obstacle to achieving that goal. Trying to break contemporary encryption – using, say, AES-256 and 2048-bit keys or higher – is like trying to break a concrete wall with your forehead. It is just not happening (at least until quantum computing comes into the picture, and that’s probably a decade away).
Malware and exploits are what should really worry you
The CIA leaks show how one intelligence agency – and presumably, others – has approached this challenge in the years after Snowden blew the whistle. It is not about breaking encryption as much as about bypassing it and intercepting communications before the encryption even took place in the apps. Hence, the focus on malware and exploiting zero-day vulnerabilities.
We at Secure Group have been raising awareness about this for years. Encrypting communications is a necessity, but it is only the first step towards securing privacy. There are many other ways into a phone that could compromise it without bothering with the encrypted data. Non-state adversaries like hackers and cybercriminals take advantage of the same exploits as well. We had that in mind when designing our products.
Secure Phone comes out of the box with all third-party apps purged from the device. The only way to install any additional software on the device is through the Secure Administration System (SAS). So, there simply isn’t any way for malware to find its way on the phone. And even if it did, it’d have a hard time exploiting zero-day vulnerabilities. When developing the device, we removed anything from Android that could be exploited: Bluetooth and USB drivers, the location, notification and telephony managers, Google Services, etc.