CIA Leak Shows Mobile Phones Vulnerable, Not Encryption
from the and-cia-isn't-helping dept
As you've probably heard by now, this morning Wikileaks started releasing a new cache of information regarding CIA hacking tools. This is interesting on a variety of levels, but many of the reports focus on the claims that encrypted chat apps like Signal, Whatsapp and Telegram may be compromised. See the top two links in this screenshot:
Wikileaks itself may have contributed to this view with the following paragraph in its release:
These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied.
But the details don't seem to show that those apps are compromised, so much as that Android and iOS devices are compromised. It's always been true that if someone can get into your phone, the encryption scheme you use doesn't matter, because they can just pull keystrokes or grab data before you encrypt it -- in the same way that someone looking over your shoulder can read your messages as well. That's not a fault of the encryption or the app, but of the environment in which you're using the app itself.
And that should really be the bigger concern here. Over the years, nearly all of the focus on hacking mobile phones has been on the NSA and its capabilities, rather than the CIA. But it's now clear that the CIA has its own operations, akin to the NSA's hacking operations (kinda makes you wonder why we need that overlap). Except that the CIA's hacking team seems almost entirely unconcerned with following the federal government's rules on letting private companies know about vulnerabilities they've discovered.
Remember, the Obama White House put in place what it called a Vulnerabilities Equities Program in which the intelligence community is supposed to default to letting private companies know about vulnerabilities. And, yes, this was always something of a joke as there was a giant loophole involving "except for a clear national security or law enforcement need" that the NSA basically used to withhold vulnerabilities all the time. Still, at least the NSA appeared to get around to revealing some vulnerabilities eventually (probably once they were no longer useful).
Here, however, it looks like the CIA was hoarding some really serious vulnerabilities with wild abandon. In a chart released by Wikileaks you see that the CIA is getting these vulnerabilities from a variety of sources. Some it's finding itself, some it's purchasing, and some are shared via other agencies, such as the NSA or the UK's GCHQ. As Ed Snowden notes, there is now clear evidence (which many suspected, but which had not been proven) that the US government was secretly paying to keep US software unsafe and vulnerable. That's really dangerous. It's putting basically everyone in much more serious danger, just so the CIA, NSA and others can get in when they want to:
The CIA reports show the USG developing vulnerabilities in US products, then intentionally keeping the holes open. Reckless beyond words.
— Edward Snowden (@Snowden) March 7, 2017
This is why the whole conversation about mandating backdoors and "going dark" was so dangerous in the first place. Those were plans to force even more of these vulnerabilities into the wild, just for the very very rare cases where they were needed by law enforcement or intelligence.
At a time when the President is suddenly acting as if he's concerned about domestic surveillance (at least of himself), perhaps now would be a good time to crack down on this kind of stuff. I'm not holding my breath -- but, for now, we're getting a lot more insight into the CIA's electronic surveillance methods, and it sounds like there's more to come.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cia, encryption, hacking, nsa, phones, surveillance, vep, vulnerabilities, vulnerabilities equities program
Companies: wikileaks
Reader Comments
The First Word
“Yeah. A lot. The paradigm of technology and security needs to change.
On Android, when you install a 3rd party keyboard, you'll get a notification about how the developer can intercept what you type (SwiftKey anyone?).
When something new is around the corner, security should be paramount, not an afterthought once we realize it's broken.
I don't think there is enough black electrical tape in the world for every cell phone and webcam.
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
I'm kind of curious how you get from what's in the story to blaming Silicon Valley?
[ link to this | view in chronology ]
Re: Re:
the problem i have with that, not only nsa cia but chinese and russians can exploit as well. case in point is hacked opm personnel files.
[ link to this | view in chronology ]
Re: Re: Re:
None of that has anything to do with this story.
So, once again, I'm asking why you would blame Silicon Valley for this story?
[ link to this | view in chronology ]
Re: Re: Re: Re:
Bezos and wikileaks servers, does that ring a bell?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Sure. But none of that has anything to do with this story. That's what I'm asking about. Throwing out random bad behavior by Silicon Valley that has absolutely nothing to do with the story above doesn't make your point. It makes me think you have no point.
[ link to this | view in chronology ]
Re: Re:
What did Eric Schmidt say about privacy again?
[ link to this | view in chronology ]
Trust but (can't) verify
"[N]ow would be a good time to crack down on this kind of stuff..." yeah, but we'd never really know if they did, would we? They can always tell us they've stopped (or tell Congress), but who'd really believe that they have? Not me.
[ link to this | view in chronology ]
Re: Trust but (can't) verify
maybe then my interest is peaked, and my trust levels
[ link to this | view in chronology ]
Methods? We KNOW it's going on, don't need details. It's what SPIES do. This is distraction with no action, mere kibitzing. Just what "they" want.
Apparently, from lack of mention here, you're okay with the CIA fomenting civil war in Syria, supporting actual terrorists who used the chemicals (and you believe the NYT claiming that was Assad), but OMG, my precious app is compromised!
What the hell do you think "smart" phones are for except a 1984 telescreen that you voluntarily carry around everywhere? We are IN the dystopian future, kids.
Basic problem is the uncontrolled deep state -- and you're siding with it against Trump! I suppose here at Techdirt, you'll deny that even exists, still believe that the Russians (with their puppet Trump) are the threat, not the 850,000 spooks in "Top Secret America".
Now, I bet's there's zero agreement to my points from Techdirt regulars, this is such a WEIRD site compared to The Register, so have at it.
[ link to this | view in chronology ]
Re: Methods? We KNOW it's going on, don't need details. It's what SPIES do. This is distraction with no action, mere kibitzing. Just what "they" want.
[ link to this | view in chronology ]
Re: Re: Methods? We KNOW it's going on, don't need details. It's what SPIES do. This is distraction with no action, mere kibitzing. Just what "they" want.
What a loon.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Paying?
What am I missing? The image shows government agencies buying IOS vulnerabilities, but it doesn't say they're paying Apple or other software companies to add backdoors or avoid/delay patching vulnerabilities. Is that what you're implying? I'd have assumed they were paying third-party researchers who'd lack the influence to "keep US software unsafe".
[ link to this | view in chronology ]
Re: Paying?
[ link to this | view in chronology ]
Re: Re: Paying?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
You can install whatever OS you want on your computer, why shouldn't this apply to mobile computers, er, phones? I'd gladly install directly from Google. Heck, if you make things easier you'll also spawn a healthy market for alternative OS developers where we all win in the end.
[ link to this | view in chronology ]
Re:
For anyone who cares about security there iOS is sadly the only option.
[ link to this | view in chronology ]
Re: Re:
Wrong.
Most users use icloud to sync backups. No encryption.
icloud accepts logins, and downloading of iphone backup files from any geographic location. No google-style geofencing/someone-tried-to-login-to-your-account-from-russia protections.
Those backups are hosted on multiple third-party cdns, not apple owned servers. Prism anyone?
Apple does _NO RATE LIMITING_ for login attempts. So brute forcing an icloud account is Script kiddie easy. (No one uses 2FA on Apple)
Google "icloud api download backup". See how easy it is to loop a password dictionary onto a login() with some of those libraries.
Some of these icloud APIs also parse the files in the backup and extract messages from 'secure' apps. (Most messaging apps can tag files as do-not-include-in-backup but don't)
So to securely message someone, BOTH iphones need a secure app, and BOTH need to have icloud sync turned off.
And that's ignoring the built in baseband backdoor and silent ios update service.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Android has plenty of OS developers modding Android (and keeping up to date with security fixes).
An example is Cyanogenmod, I used to run that on my previous android phone when Motorola pulled the update plug (much preferred it to the stock firmware anyway).
My new phone is still under warranty but when that is up Samsung's crappy bloatware laden OS will be replaced by Cyanogenmod.
[ link to this | view in chronology ]
Re: Re:
The development community have migrated over to a fork called LineageOS; the development, build, and release patterns are a little different, and the process of migrating from CyanogenMod to LineageOS isn't as clean and simple as could be hoped for, but the result seems to be just as good overall as CyanogenMod was. (At least so far.)
[ link to this | view in chronology ]
Re: Re: Re:
I haven't followed the community since I got me new phone, time to read up on Lineage OS. :-)
[ link to this | view in chronology ]
So...
[ link to this | view in chronology ]
Re: So...
The DNC did a lot of shady things.
That is what cost them the election.
20 years ago we would have called this "Investigative Journalism" but today we call it hacking because that sounds spooky and evil.
Stop allowing the DNC to focus the wool around your eyes on the method of revelation instead of the actual revelations.
[ link to this | view in chronology ]
Re: Re: So...
Some of us have the ability to hold more than one thought in our head at a time.
(Some of us even have the ability to use metaphors correctly. "Focus the wool around your eyes"? What does that even mean?)
[ link to this | view in chronology ]
Re: Re: Re: So...
[ link to this | view in chronology ]
Re: So...
[ link to this | view in chronology ]
Re: Re: So...
[ link to this | view in chronology ]
Re: So...
Probably both it is not clear. Keeping an eye on elections seems to be a worthy activity. But if US intelligence organizations are hacking US elections then whether the US is still a democracy is at question. The various intelligence organizations each have it's own specialty. The NSA does signal intelligence for example. The FBI has a domestic and Latin American emphasis. Keep the faith and the courage to ask the hard questions.
[ link to this | view in chronology ]
On the Plus Side
Between now and then be wary, but in a few months expect many patches for every Operating System and App devs and more push back from tech companies against government(s) efforts to stifle their speech when it comes to alerting consumers that the government agencies are in reality doing things that could impact their daily lives.
Wikileaks, helping foreign adversaries bring down democratic nations one leak at a time or helping individuals take back their individual freedoms one shitty leak at a time, only future historians will know that outcome.
[ link to this | view in chronology ]
Re: On the Plus Side
I doubt Apple is, and that's precisely why I'm sticking w iOS
[ link to this | view in chronology ]
Yeah. A lot. The paradigm of technology and security needs to change.
On Android, when you install a 3rd party keyboard, you'll get a notification about how the developer can intercept what you type (SwiftKey anyone?).
When something new is around the corner, security should be paramount, not an afterthought once we realize it's broken.
I don't think there is enough black electrical tape in the world for every cell phone and webcam.
[ link to this | view in chronology ]
Re:
Yeah, there are a lot of reasons why security simply isn't the fundamental priority in software design that it should be. I'm hoping that, now that we've got languages like Rust and Go that can match C's performance without adopting its 1970-vintage approach to memory management, devs will start slowly making the transition, but a fully-functional OS based on those foundations is a long way off.
(When was the last time a new, built-from-the-ground-up OS got a foothold? Windows NT? I don't think we can count OSX (based on FreeBSD) or Android or ChromeOS (both use the Linux kernel), and lesser-used OS's like Blackberry, WebOS, BeOS, and Tizen all seem like also-rans.)
I think we're likely to see formal verification start to be adopted for highly secure, special-purpose OS's, but by its nature it's incredibly labor-intensive and has serious issues with scalability.
Meanwhile, thanks to Android and the IoT, Linux-based OS's have proven not to be nearly the secure workhorses in consumer electronics that they are in the server market. Torvalds and the other core kernel developers have always focused on compatibility over security, and that's not likely to change. And honestly they kind of have a point -- it doesn't matter how secure you make your kernel if some jackass is going to stick it on a router that uses a hardcoded root password and an open telnet port and call it a day.
[ link to this | view in chronology ]
Re:
That's sorta how keyboards work.
If the keyboard can't intercept keystrokes (what you are typing), then the keyboard won't function. If it's not allowed to intercept keystrokes, it can't receive input from the touchscreen and then translate that into a keystroke (a, b, c...) to be sent to/from the application that's using the keyboard (browser, SMS app, etc.).
The problem arises when a keyboard app can: 1) intercept keystrokes (i.e. do its job); and 2) access communications interfaces (bluetooth, 3/4/X/G, USB, thunderbolt, IR, WiFi).
Therefore a developer of the keyboard, in addition to legitimately intercepting the keystrokes, could also illegitimately forward those on through the communications interfaces.
Of course, there are legitimate reasons for forwarding on the keystrokes - cloud-based handwriting/voice recognition, and so on.
[ link to this | view in chronology ]
Re: Re:
If you permit it to access storage, and then the people behind it get another app onto your device which _does_ need to access both network communications and storage (such apps being far from uncommon), that app can transmit a stored record of keystrokes.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Information is power. Who has the most information? The IC does. So where does the real power lie? With Congress or the group who literally has the information (real or not) to bring any individual or nation down? If you don't play their game, do you think they're going to let you get in their way? I guess you could ask Kennedy... Kind of fitting that the password to these documents was a quote from him.
There seems to be a lot of turmoil in the upper echelons of the US government. It's almost a civil war but it's all happening behind the scenes. It's an internal power struggle, and they're trying to keep up the facade on the whole charade. Interested to see what happens I guess, but I don't think it'll be to any of our benefit.
[ link to this | view in chronology ]
Re:
The comment about Kennedy veers a little too much into conspiracy theory territory for my tastes, but your point is well-taken. I think far too many people have been ready to praise leaks that serve their own political interests and condemn ones that serve The Other Guy's, without actually evaluating where they're coming from and what they mean. (See our metaphor-mixing anonymous friend upthread who insists that it doesn't matter where the DNC leaks came from, it only matters what was in them -- as if it's not possible for both things to matter.)
The enemy of your enemy is not your friend. There's no contradiction in thinking that the DNC behaved unethically while also believing that Assange, Putin, et al do not have our best interests at heart in obtaining and publishing Podesta's emails. Similarly, we're currently seeing a battle between the White House and the CIA, and between the CIA and the Russian government. Anybody who's looking for a good guy to root for in any of those conflicts is missing the point. It's like the poster for Alien vs. Predator: whoever wins, we lose.
[ link to this | view in chronology ]
Re: Re:
Go read about the power struggle that happened during and after the Bay of Pigs. It will explain more about how the US functions than just about anything you'll ever read.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
I agree that people have a huge double standard when it comes to their "teams" and I've already seen a lot of people seem to think it's okay that CIA does this because it's their "job" and they're "keeping us safe" by doing this when in reality the purpose is often self serving. It is a fact that they have covertly toppled governments and installed dictators friendly to the economic rape of their country by US corporate interests. And they expect me to trust them? The biggest example of team mentality is obviously Republican vs Democrat. This is a false choice being presented. It's like a parent asking their kid "would you like peas or carrots with dinner?" Doesn't matter which one they choose. They're eating their vegetables without realizing they were tricked into thinking they had a choice. Many people think the only choices they have are the ones presented to them.
We as a people need to realize the things we argue about are relatively petty. We are not each other's enemy. Everyone has the exact same needs: food, water, shelter, love. But we are intentionally pit against each other on a multitude of nonsense issues. We are asked to pick between two bad things then asked pick sides and don't forget to ridicule everyone who didn't pick your side. The government is not on your side and it is our responsibility to keep it in check. A responsibility we have abdicated in favor of letting authority and so-called experts do all of our thinking for us.
The intelligence community has concentrated an immense amount of power and I'm not sure of the amount of control our elected body has over that power.
Anyway, feel like I've hit way too many subjects, so I'll sum it up with what you said: whoever wins, we lose.
[ link to this | view in chronology ]
Re:
They control the money,.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Qubes is a virtual machine based OS that allows you to segregate everything you do into separate VMs. This means that if one get hacked or infected the others wont, or at least it is less likely. Also, at least the people behind the OS, look at the whole system to try and make even the hardware more secure from things like BIOS infection.
https://www.qubes-os.org/
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Fair enough. In that case, would Tails do?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
That's why I like Qubes, the developer are interested in fixing the whole system, not just on part. Supporting Qubes OS will hopefully can help that goal.
[ link to this | view in chronology ]
Re:
Only...how do you know NSA/CIA hasn't bought a bunch of security holes in Qubes OS?
[ link to this | view in chronology ]
Re: Re:
Same as any other free/open-source project: you can't know for sure, but between the ability to audit the source code and the wisdom of crowds, it's a lot easier to verify the security than it is with a proprietary project.
(It does appear that Qubes has some optional proprietary components for running Windows VMs. Those do not benefit from allowing users to audit their source, though of course neither does Windows itself.)
[ link to this | view in chronology ]
You cannot do this anymore with Ford, GM, BMW, or Chrysler vehicles, but you can replace the infotainment system with a third-party model on Toyota.
That is why my next car is going to be a Toyota, where I can replace the infotainment system with a car stereo of my choosing where the CIA, and the like, cannot spy on me.
The CIA cannot spy on a JVC KD-series stereo unit.
If you want to keep the government out of your car stereo, get a Toyota, where you can replace the factory system with a system of your choosing.
[ link to this | view in chronology ]
Presidental concern
At a time when the President is suddenly acting as if he's concerned about domestic surveillance
I do not believe for one red hot second that President Trump is all that concerned. It was just a handy dead cat to throw on that table to distract from other issues, either current or just about to come up.
And the press, bless their hearts, fell for it.
Again.
[ link to this | view in chronology ]
Re: Presidental concern
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Either way updates and installed apps are the Achilles' heel of any OS. Every point of trust is a point of attack, which means endless attack vectors to me.
So I think trusted computing will definitely need to be done from the silicon up, using more robust OSes built from more robust programming languages, with better sand boxes, as others here have already suggested.
But still I think the low hanging fruit to trusted computing lies in reducing the number of people/entities you HAVE to trust to use your device effectively, to as close to zero as you can get it.
Right now I've had to trust probably hundreds of companies (including AT&T and Frontier) and thousands of people just to look at dog memes on the internet. And at any given time, I don't even know that the people I've given trust to are actually the people I think I trust, and not some man-in-the-middle attack feeding me malicious updates.
At this point, putting back doors in encryption would just be a cherry on top of something that already has a near-infinite attack surface; a big middle finger to anyone who thinks they have privacy.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
First off, how do you know it's the official source or even that you connected to the official server? Web sites, downloads, hashes, etc., can all be spoofed. Hashes have their own attack vectors, and how do you know someone didn't slip something subtly malicious into the official source? How do you know you're even calculating the hashes correctly? Are you going to verify the source and/or hashes line-by-line with your eyeballs?
Secondly, how do you know that your "pristine" install wasn't tampered with while you took your dog for a walk? It's pretty easy to get code onto most devices if you have physical access. The new fox in the hen house will then happily report that there are no foxes in the hen house.
My point is that trusted computing is currently a Pandora's Box of mistrust. How do you trust your compiler, or the compiler that compiled your compiler, or even the hardware the compiler compiled your source code on? The rabbit hole goes pretty deep.
[ link to this | view in chronology ]
Re: Re: Re:
Yes, and im pretty damn certain that these are the exact questions that need to be asked............and, luck willing, answered...........feels like a think outside the box solution is needed here........possible, but not guaranteed
[ link to this | view in chronology ]
The bigger problem is expoitation by others, as it becomes a two way street.
[ link to this | view in chronology ]
You Can't Hack Math
The degree of difficulty of a brute-force hack of any particular encryption algorithm does not vary. If the strength of the algorithm places it beyond the capacity of contemporary computability, it's safe.
If what you're encrypting is WAY less valuable than the cost to decrypt, you're safe (unless you piss off an orange with a tweet).
The imperfections of any specific implementation of a particular encryption algorithm on the other hand... The question becomes one of how much you trust the implementer of the algorithm to look out for your interests.
Hardware and software providers make promises. I like to think of these promises the same way I think of the expression "stainless steel" - more of a fond wish than a lifetime guarantee.
[ link to this | view in chronology ]
Re: You Can't Hack Math
Well, safe from a brute-force attack. Not safe if you accidentally give your password to a phisher, or install an app with a privilege escalation vulnerability, or any number of other possible attacks.
[ link to this | view in chronology ]
Re: Re: You Can't Hack Math
Thad, you left out screen mirroring attacks, based upon NSA pre-hacks of chipsets.
Care to explain why you left that out?
Screen mirroring attacks are by far, the most common CIA et al launchpads these days.
[ link to this | view in chronology ]
"CIA Leak Shows Mobile Phones Vulnerable, Not Encryption"
Nice to know we(the people) have a CIA looking out for US.
[ link to this | view in chronology ]
The Last Word
“Yeah. A lot. The paradigm of technology and security needs to change.
On Android, when you install a 3rd party keyboard, you'll get a notification about how the developer can intercept what you type (SwiftKey anyone?).
When something new is around the corner, security should be paramount, not an afterthought once we realize it's broken.
I don't think there is enough black electrical tape in the world for every cell phone and webcam.