Last week, WikiLeaks dropped a bombshell on intelligence agencies by publishing a trove of classified documents dubbed “Vault 7.” The revelations gave a damning account of government surveillance powers and hacking capabilities.
It was also a testament to how vulnerable the increasing number of Internet-connected devices we own can make us. And if you think you shouldn’t worry about what hacking capabilities the feds have, think again. Three-letter-agencies aren’t the only ones who are looking for security holes in hardware and software.
As with every hack that makes noise, the Vault 7 leak is associated with new facts, old misunderstandings and some very important lessons. Here’s what you need to know about the latest batch of information that WikiLeaks has spilled into cyberspace.
End-to-end encryption still stands strong…
It is a known fact that apps that implement end-to-end encryption (E2EE) are the most secure messaging software. As opposed to other encryption protocols, E2EE encrypts sent messages in a way that can only be decrypted by the receiving end (hence the name).
The most reliable end-to-end encryption protocol is the one developed by Open Whisper Systems. Aside from OSE’s own messaging app, Signal, other famous apps such as WhatsApp and Telegram use the protocol. Hundreds of millions of users across the world rely on these apps for their daily communications, many of them under oppressive regimes.
However, on March 7, WikiLeaks made the vague assertion that CIA had succeeded in bypassing the encryption those apps use. The fact was later echoed by The New York Times, causing panic and creating the impression that it’s better to abandon the apps.
But those claims were later debunked, and it became clear that the feds had failed to crack the Signal protocol. In fact, the documents proved that due to the strength of E2EE, government agencies were forced to change tactics. Instead, they relied on other vulnerabilities in mobile operating systems to read messages before encryption or after decryption.
Signal is an open-source technology vetted and approved by cryptography experts such as Bruce Schneier and Ed Snowden. To this day, it remains the most secure messaging protocol. This means that you shouldn’t trade Signal or WhatsApp for some other app, and certainly not SMS.
…but it isn’t enough
While the Signal bypass claims turned out to be false, they did shed light on another fact: In cybersecurity, there’s no silver bullet.
If a hacker manages to install a trojan on your device (it happens, believe me), they’ll be able to access your phone just as you would. This means they can intercept unencrypted messages and send the data to a remote server.
Signal per se won’t protect your messages against hackers and evil regimes. In fact, nothing will.
The best way to secure your devices and your data is to use a layered approach. For one thing, make sure you adopt basic cybersecurity measures, such as updating your system and software. Also encrypt data across all your devices and accounts, not just messaging apps.
Governments go to great lengths to lay their hands on smartphone vulnerabilities. There are several firms that pay good money for zero-day vulnerabilities, unpatched and unknown security holes. They later sell those vulnerabilities to government agencies of all stripes.
This creates great incentive for security researchers to sell the secrets they uncover to these shady firms instead of reporting them to their respective manufacturers. The WikiLeaks documents claimed the CIA had a cache of zero-days for both Android and iOS devices.
The manufacturers later declared that most of those vulnerabilities had already been addressed. Therefore, never underestimate the value of installing regular updates. You never know what’s lurking in the dark, but you should at least protect yourself against what’s in the light.
The Internet of Things security is in a sorry state
One of the scariest revelations was Weeping Angel, the program that allowed CIA to conduct espionage through Samsung Smart TVs. This isn’t the first time that IoT devices are found with severe vulnerabilities.
But it certainly is the first time they’re being used as a spying tool by a government agency. Former Director of National Intelligence James Clapper had warned about this last year. (Ironically, the government he served happened to be involved in exactly that kind of activity.)
Last November, Bruce Schneier warned that the Internet is no longer fun and games. This is especially true for two reasons, among others:
- More and more connected devices are finding their way into homes and offices. This translates to more attack vectors and more data for malicious parties to collect.
- Human-computer interaction is going through a huge revolution. Gone are the days where mouse and keyboards were the only mediums to send commands to computers. Thanks to voice-enabled assistants, eye-tracking, motion-tracking, and a slew of other technologies, you might interacting with computers and their back-end cloud services without even knowing it. While this facilitates many legitimate tasks, it can also open the way for evil deeds.
What can you do? I suggest you follow these guidelines to make sure your smarthome devices are safe against hackers. Aside from that, think twice before connecting a new device to the Internet. Is it a must have, or a nice to have?
Where do we go from here?
My closing thoughts would be that cybersecurity should be everyone’s business. As our lives become more and more connected, privacy is becoming harder to maintain. We are all vulnerable, but through collective effort and responsibility, we can certainly make a difference.