This week, WikiLeaks released ”Vault 7″—a roughly 8,000-page document purporting to detail surveillance tools and tactics of the Central Intelligence Agency. The leak appears to outline a wide variety of vulnerabilities in smartphones and other devices that the CIA uses to intercept communications and eavesdrop on its targets. Here’s what the average smartphone user needs to know.
You shouldn’t stop using encryption services
The leaked documents suggested that the CIA can bypass the security measures of encrypted messaging apps such as WhatsApp—but that doesn’t mean you should stop using them. This point has gotten a bit confused in the aftermath of the leaks. WikiLeaks itself tweeted that the leak “confirms CIA can effectively bypass Signal + Telegram + WhatsApp + Confide encryption.” This language about encrypted messaging apps was picked up in other places, including the New York Times, which wrote that the vulnerabilities detailed in the leaks allow CIA officers “to bypass the encryption on popular services such as Signal, WhatsApp and Telegram.”
But, as other outlets quickly pointed out, that message is very misleading for the typical smartphone user. The leaked documents don’t in any way indicate that the CIA has identified vulnerabilities in any of these apps. Rather, the CIA has identified vulnerabilities in the smartphone technology that these apps run on, not the apps themselves.
This distinction matters. To misreport the leaks means that people might come away thinking that they shouldn’t bother using encryption services—and it also wrongly puts the responsibility for addressing these vulnerabilities on the app companies, rather than the phone developers.
That said, it’s always good to be reminded that encryption is not, by any means, a panacea when it comes to online security. Any encryption service you use almost certainly provides you with access to the decrypted contents of messages you send and receive. If you and your friends can view those messages on your phones, then you should take for granted that someone else can, too, so long as they have access to your device.
But that doesn’t mean encryption is useless. On the contrary, encryption services force people who want to spy on your communications to compromise devices rather than just intercepting online traffic. Adding that extra hurdle is worthwhile, even if it won’t deter the most determined and well-resourced spies (like, for instance, the CIA).
Smart devices can easily be used to spy on you
The other important lesson from the Vault 7 leaks is that we should all be wary of how easily our internet-connected “smart” devices can be used to spy on us. The documents include details about exploits used to target Samsung smart TVs and turn them into listening devices, even when they seem to be turned off. Internet-enabled electronics, especially smartphones and personal computers, are inevitably going to be present in just about every home these days—but intelligence agencies’ abilities to turn these devices into remote eavesdropping tools should make people think seriously before adding new ones.
Is the value you get from having smart televisions, speakers, or security cameras worth the worry about how these devices may be compromised and used against you? (Even if you’re not worried about the CIA coming after you, it should go without saying that anything they can do can be done just as easily by any number of others—inside and outside the government.)
You’re probably not going to let your household fall off the grid entirely. But even if all you do is restrict yourself to laptops and smartphones as the only connected devices in your home, you’ll still raise the bar for your personal security. Those devices are often designed by tech companies with deep expertise in computer security, as opposed to other devices manufactured by companies that are relatively new to the security challenges their smart products may present.
So here’s the upshot from the CIA leaks: Keep using WhatsApp and Signal, ditch the smart TV, and remember that no matter how hard you try, you probably can’t protect yourself fully against the formidable surveillance powers of the US intelligence community.