WikiLeaks’ Vault 7 dump confirms that encryption still works

“The worst thing that could happen is for users to lose faith in encryption-enabled tools and stop using them.”

WikiLeaks’ “Vault 7” leaks reveal the CIA’s dangerous global hacking arsenal. It’s forcing people everywhere to question their privacy rights. Photo credit: Blogtrepreneur / Flickr (CC BY 2.0)

by: Obert Madondo |  | Published Mar 16, 2017, by The Canadian Progressive

WikiLeaks recently released what it claims to be the global hacking arsenal of the U.S. Central Intelligence Agency (CIA): a trove of 8,761 documents and files comprising “malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation.”

Code-named “Vault 7”, the dump came from “an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina.” According to Wikileaks, in addition to developing its own hacking tools, the CIA also harnessed the power of the surveillance tools created by professional hackers, cybersecurity companies, security researchers, and other key players in the intelligence game, including the National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ).

No need to panic here. The dump confirms that encrypted messaging apps such as Signal and WhatsApp are still ordinary citizens’ first line of defence against government spying.

Encryption is a method of protecting data and communications from unintended eyes, including those of authoritarian regimes and criminals profiting from our private data. It ensures that the communication you sent across the internet is turned in pure gobbledygook, almost impossible for unintended recipients to unscramble. Only you and the intended recipient, who must have a “decryption key” or password, can make sense of the communication.

Still, it’s important to appreciate the fact that the release is freaking out a lot of people to the point of losing faith in encrypted communication apps. That reaction is understandable. Reading WikiLeaks’ “Vault 7” intro information and the media’s coverage of the dump, one gets the impression that spying agencies are now able to bypass the security offered by encrypted messaging apps.

Introducing “Vault 7”, WikiLeaks tweeted:

WikiLeaks also claims that the CIA’s new spying techniques permit the agency to “bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.”

According to WikiLeaks:

The CIA’s Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones. Infected phones can be instructed to send the CIA the user’s geolocation, audio and text communications as well as covertly activate the phone’s camera and microphone.

Reading major global publications such as the Independent (UK) and New York Times gives the impression that the CIA has found ways to exploit vulnerabilities in the devices ordinary people now heavily rely on at home and work, essential computer software, and iOS and Android operating systems. One is tempted to conclude that the CIA has developed new software capable of cracking into or taking full control of Android smartphones and Apple iPhones.

On March 7, 2017, Edward Snowden, the former NSA contractor who blew the whistle on the agency’s expansive armory of surveillance tools back in 2013, tweeted:

So, how are we expected to process the”Vault 7″ dump? Below are a few things to consider:

First, civil libertarians suggest caution before pushing the panic button. Cindy Cohn, the executive director of the Electronic Frontier Foundation (EFF), a San Francisco-based group specializing in online privacy and digital rights, recently blogged:

While we are still reviewing the material, we have not seen any indications that the encryption of popular privacy apps such as Signal and WhatsApp has been broken. We believe that encryption still offers significant protection against surveillance. The worst thing that could happen is for users to lose faith in encryption-enabled tools and stop using them.

Second, leading tech companies whose software was allegedly breached, such as Apple, Google and Microsoft, say they have since fixed many of the vulnerabilities the CIA may have exploited.

Third, breaching end-to-end encryption is damn expensive. Big Brother would need gargantuan amounts of computing power and time to decipher encrypted communications. That leaves spies with these limited options: a) Targeting only high-priority individuals; b) Resorting to old school surveillance techniques, such as bugging phones and following targets around; c) Installing malware on individual targeted devices to harvest communications before encryption takes effect.

The bottom line is: encryption works.

[Edited]

SPECIAL APPEAL: Please empower The Canadian Progressive and help us publish more stories like this by supporting this GoFundMe Fund-raising Initiative. Thank you!

Obert Madondo is an Ottawa-based progressive blogger, and the founder and editor of The Canadian Progressive. Follow him on Twitter: @Obiemad