Errata Security: Some Comments on the WikiLeaks CIA Leak

Robert Graham, Errata Security:

I thought I’d write up some notes about the Wikileaks CIA “#vault7” leak. This post will be updated frequently over the next 24 hours.

The CIA didn’t remotely hack a TV. The docs are clear that they can update the software running on the TV using a USB drive. There’s no evidence of them doing so remotely over the Internet. If you aren’t afraid of the CIA breaking in an installing a listening device, then you should’t be afraid of the CIA installing listening software.

The CIA didn’t defeat Signal/WhatsApp encryption. The CIA has some exploits for Android/iPhone. If they can get on your phone, then of course they can record audio and screenshots. Technically, this bypasses/defeats encryption — but such phrases used by Wikileaks are highly misleading, since nothing related to Signal/WhatsApp is happening. What’s happening is the CIA is bypassing/defeating the phone. Sometimes. If they’ve got an exploit for it, or can trick you into installing their software.

I don’t trust WikiLeaks at all. They’re effectively an arm of Russian intelligence as far as I’m concerned. WikiLeaks’s own announcement of this dump made it sound — to laypeople — that the CIA had the ability to intercept encrypted Signal and WhatsApp messages. They don’t. If you have a secure device, WhatsApp and Signal are secure. If your device has been compromised, no messaging service can be secure — everything on a compromised device is compromised.

Wednesday, 8 March 2017