Pixel Envy

Written by Nick Heer.

Poor Reporting on the CIA Documents Released by WikiLeaks

WikiLeaks today dumped a huge set of documents that make public some of the digital intrusion techniques and capabilities used by the CIA. As tends to be the case with these sorts of things, the reporting of these leaks is less nuanced than it ought to be.

For instance, take this bullet-point summary that appeared on the New York Times’ homepage today:

They indicate that the agency, by compromising the phones entirely, was able to access the contents of encrypted messaging apps like Signal and WhatsApp.

That certainly sounds like either the encryption or the apps were breached. Clicking through to the story seems like it reinforces that perception:

Among other disclosures that, if confirmed, will rock the tech world, the WikiLeaks release said that the C.I.A. and allied intelligence services had managed to bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram. According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect “audio and message traffic before encryption is applied.”

Shane Harris and Paul Sonne of the Wall Street Journal (paywalled) wrote something similar:

WikiLeaks said the documents show the CIA’s ability to bypass the encryption of popular messenger applications, including WhatsApp, Signal, Telegram and Confide by hacking the smartphones they run on and collecting audio and message traffic before the applications encrypt the user’s texts.

In fact, pretty much every article I could find used some variation of the word “bypass” to describe the way in which the CIA can, apparently, record aspects of conversations in seemingly-secure apps. And that’s because that’s the exact same way that WikiLeaks describes it in their press release:

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.

It turns out that the CIA hasn’t breached the encryption technologies used by these messenger apps, nor have they breached the apps themselves. WikiLeaks’ use — and other publications’ re-purposing — of the unspecific word “bypass” is especially misleading because it neglects the full context of the prior paragraph within the press release:

A similar unit targets Google’s Android which is used to run the majority of the world’s smart phones (~85%) including Samsung, HTC and Sony. 1.15 billion Android powered phones were sold last year. “Year Zero” shows that as of 2016 the CIA had 24 “weaponized” Android “zero days” which it has developed itself and obtained from GCHQ, NSA and cyber arms contractors.

The flaw here isn’t with any of the encrypted chat apps, but with Android itself. However, because WikiLeaks has, so far, redacted information on the specific exploits possible for Android, it isn’t clear which zero-day — or, more likely, which combination of zero-days — is responsible for the flaw and what it achieves. Perhaps the CIA has an Android keylogger, in addition to their now-known capability to switch on the microphone. But it doesn’t really matter because a compromised device is a compromised device, period.

The CIA also apparently has a batch of exploits for use with iOS, though none are confirmed in these documents to work with iOS 10. The Android exploits are also entirely outdated, but software updates don’t roll out for Android phones as quickly or as evenly as they do for iOS devices.

The really big story most publications are missing here, though, is twofold. First, these documents are an acknowledgement that the CIA finds serious security holes in major software and buys up others’ exploits without telling the developers, which puts billions of devices at risk.

Mike Masnick, Techdirt:

Over the years, nearly all of the focus on hacking mobile phones has been on the NSA and its capabilities, rather than the CIA. But it’s now clear that the CIA has its own operations, akin to the NSA’s hacking operations (kinda makes you wonder why we need that overlap). Except that the CIA’s hacking team seems almost entirely unconcerned with following the federal government’s rules on letting private companies know about vulnerabilities they’ve discovered.

The other important story is that this leak seems to show that encryption is working. Open Whisper Systems, creators of Signal:

Ubiquitous e2e encryption is pushing intelligence agencies from undetectable mass surveillance to expensive, high-risk, targeted attacks.

This is, strangely enough, somewhat good news. Devices are harder to into and communications are harder to record. While that makes the jobs of intelligence agencies harder, it also means that our private conversations can’t be swept up in bulk and stored at data centres to be archived and combed through for an indeterminate amount of time in the future.

Update: I clarified what I meant by the combination of exploits on Android.