Vault 7

WikiLeaks dropped a large archive of Central Intelligence Agency (CIA) leaks. Amongst the archive are internal communications and documents related to various exploits the CIA had or has on hand for compromising devices ranging from smartphones to smart televisions.

I haven’t had a chance to dig through the entire archive yet but there’s one thing that everybody should keep in mind.

The government that claims to protect you, that many people mistakenly believe protects them, has been hoarding vulnerabilities and that has put you directly in harm’s way. Instead of reporting discovered vulnerabilities so they could be patched, the CIA, like the NSA, kept them secret so it could exploit them. Since discovery of a vulnerability doesn’t grant a monopoly on its use, the vulnerabilities discovered by the CIA may very well have been discovered by other malicious hackers. Those malicious hackers could, for example, be exploiting those vulnerabilities to spread a botnet that can be used perform distributed denial of service attacks against websites to extort money from their operators.

Remember this the next time some clueless fuckstick tells you that the government is there to keep you safe.

While I haven’t had a chance to read through the archive, I have had a chance to read various comments and reports regarding the information in the archive. By doing this I’ve learned two things. First, the security advice posted by most random Internet denizens is reminiscent of the legal advice posted by most sovereign citizens. Second, the media remains almost entirely clueless about information security.

Case in point, a lot of comments and stories have said that the archive contains proof that the CIA has broken Signal and WhatsApp. But that’s not true:

It’s that second sentence that’s vital here: It’s not that the encryption on Signal, WhatsApp (which uses the same encryption protocol as Signal), or Telegram has been broken, it’s that the CIA may have a way to break into Android devices that are using Signal and other encrypted messaging apps, and thus be able see what users are typing and reading before it becomes encrypted.

There is a significant difference between breaking the encryption protocol used by a secure messaging app and breaking into the underlying operating system. The first would allow the CIA to sit in the middle of Signal or WhatsApp connections, collect packets being sent to and from Signal and WhatsApp clients, and decrypting the packets and reading the contents. This would allow the CIA to potentially surveil every WhatsApp and Signal user. The second would allow the CIA to target individual devices, compromise the operating system, and surveil everything the user is doing on that device. Not only would this compromise the security of Signal and WhatsApp, it would also compromise the security of virtual private networks, Tor, PGP, and every other application running on the device. But the attack would only allow the CIA to surveil specific targeted users, not every single user of an app.

The devil is in the details and a lot of random Internet denizens and journalists are getting the details wrong. It’s going to take time for people with actual technical knowhow to dig through the archive and report on the information they find. Until then, don’t panic.