The good and bad of Wikileaks' Vault 7 dump
Separating the wheat from the chaff.
On Tuesday (March 7, 2017 if you’re reading from the future) Wikileaks released the Vault 7 CIA files. These dumped a ton of information along with some Tweets about how journalists were supposed to be afraid that the CIA has tapped into everyone’s phone and that encrypted messaging has been hacked. This produced the expected results, where words were quickly typed to let you know how everything has changed and this is some horrible new thing you should be afraid of. Wikileaks is good at that; they know how to dangle a carrot and make people spread their message regardless of any facts or truth. P.T. Barnum would approve.
But after taking the time to look at the claims and dig beyond the hyperbole, there are some things to be learned from the Vault 7 files. They should make you concerned, but not afraid, when you use your phone to do anything you wouldn’t want the rest of the world to see.
The good news is that regardless of what’s being claimed, secure encryption methods appear to be secure. WhatsApp, Telegram, and Signal are popular messaging apps that support end to end encryption and were called out by Wikileaks in connection with the leaked materials. Further inspection of the claims shows that the actual encryption hasn’t been cracked. These apps don’t even appear in any of the files from the CIA by name, and the tools and tricks mentioned in the leaked documents say nothing about “bypassing” the encryption used by them. In fact, it all supports how strong the encryption is and shows that Wikileaks was just playing fast and loose with the news as they’re prone to do.
The takeaway from Vault 7 is that encryption methods really are strong and we should be using them.
The understanding from Wikileaks that your Android or iPhone isn’t secure is the same type of over the top claim that’s true on some level, but stretching the truth just enough to be sensational. There are plenty of valid tools to exploit known security issues for Android and iOS detailed in the leaks. The biggest issue is that none of them are new: they’re the same threats and vulnerabilities you see people like me talking about when we say you need to take your privacy a little more seriously. Some have been patched, some never worked as advertised and most involve someone having your phone in their hands connected to a computer. We should all be concerned about these things and it’s why we claim security patches are so important. But nothing leaked should make you more afraid to use your phone than you were last week.
The bad news from the CIA files is how the security landscape has changed. Where surveillance used to be casting a wide net then filtering out particular results for a closer look, people who want to know what’s on your phone are now using individually targeted methods to try to get in it. No matter how you define the good guys versus the bad guys, knowing that smart people are tasked with finding ways to have access to your phone is a very different scenario than a group of crooks fishing for Visa card numbers on Yahoo! mail servers.
This is a device security issue. Do your part and demand the people who made your phone do the same.
Someone who needs to get around the protection an app like Signal offers needs to find a way to tell the app they’re allowed to do so. They need to break into your phone and look, just as if they were looking over your shoulder while you were reading it. That means people like the ones who were able to tap into an encrypted iPhone without assistance from Apple are now working on ways to crack into every phone. Including yours. While you might be OK with knowing law enforcement can get in a criminal’s phone, know that these methods will become widespread. Two or more people can’t keep a secret, and these CIA leaked files show.
What should we do?
That’s the thing, isn’t it? I doubt anyone reading this is a target of interest for any three-letter government agency. But you still have a right to privacy.
Thankfully, the advice we’ve already heard is still the best way to do it. Common sense things like not opening attachments from people you don’t know, never installing a file from someone who shouldn’t be distributing it and not clicking random links through URL shorteners unless you know who is giving them to you. Do these things, but turn things up a notch and actually do them. If you need to step things up a notch, use secure messaging services for SMS and email.
There’s one more thing we all need to do: Only buy phones made by companies that care about security. If your phone isn’t getting regular patches to mitigate these exploits, don’t buy that brand next time. Phone manufacturers only care about profits, so to make them pay attention you have to put a dent in those profits.
There was no magic hacker tool pulled from the Vault 7 files and you don’t need to be paranoid. But there is a place between not caring and wearing a tinfoil hat, and that’s where we should be.