WikiLeaks posting Tuesday of a gigantic trove of CIA documents shows one thing: Our communications are increasingly secure.
You, however, may have seen a different distillation of this data dump in headlines warning the CIA could have been spying on you through your phone, tablet and even TV all along.
But that take gets this story wrong. And we need to get it right to understand a debate we keep coming back to: Should developers of encrypted devices and apps provide special access to law-enforcement agencies?
WikiLeaks announced Tuesday that it had posted 8,761 documents from a CIA facility in Langley, Va. the first in a series of planned disclosures of the agencys activities that the group calls Vault 7. This batch focused on the CIAs ability to conduct surveillance by hacking devices and apps, something WikiLeaks chose to highlight by playing up the scare factor of the CIA or the United Kingdoms MI5 intelligence agency hacking into your smart TV to turn it into a clandestine listening device.
Thats the goal of a CIA program, code-namedWeeping Angel, that targeted someSamsung smart TVs to listen in on people. WikiLeaks the secretive group founded by Julian Assange to post government documents called Weeping Angel the most emblematic realization of the endless surveillance described in George Orwells book 1984.
Much first-round coverage for instance, a New York Daily News front page, inspired by the movie Poltergeist, that had a headline screaming THEY HEE-EAR obligingly focused on that angle without providing an important bit of context.
That would be the detail that Weeping Angel apparently requires somebody to plug a USB flash drive into the TV in question to load this malware. And the CIA document posted by WikiLeaks observes that Firmware version 1118+ eliminated the current USB installation method, so it no longer works on an updated set anyway.
If somebody from the CIA can sneak into your house and pop a flash drive into your TV, you have many larger problems. The CIA agent, meanwhile, might find it more efficient to hide traditional listening bugs throughout your house instead of limiting her attention to your TV.
The CIAs attempts to crack smartphones, meanwhile, all appear to target old versions of iOS and Android.
For example, a table of iOS exploits doesnt list any versions of that Apple (AAPL) operating system newer than 9.2. The current release is iOS 10, and its already on 79% of devices. The 24 Android exploits listed, meanwhile, dont specify a version newer than 4.4.4, far behind the current 7.1.1 release of the Google (GOOG, GOOGL) operating systemalthough an embarrassingly high 33.4% of Android devices run versions as old as 4.4.4.
Both Google and Apple have said theyve closed most of these holes, many of which also require physical access to a phone. In a Thursday video appearance, WikiLeaks founder Julian Assange said the group would share data on the other vulnerabilities with companies affected.
Donald Trumps Android may be more at risk than other devices. AP Photo/Matt Rourke
Read More
President Donald Trumps own Android phone photos suggest its a 2012 Galaxy S3 may be among the more exposed devices, owing to its Android software seeing its last update in 2015. That and the sight of WikiLeaks targeting the CIA instead of his political opponents may explain why the man who in October tweeted a compliment for the incredible information provided by WikiLeaks now seems much less fond of the group.
Summed up security analyst Robert Graham in a post unpacking the Vault 7 news: Most of this dump is childs play, simply malware/trojans cobbled together from bits found on the internet.
WikiLeaks says its only posted about 1% of the total Vault 7 info, so its possible that scarier stuff lurks in this file. And other details, like the disclosure of CIA efforts to hack wireless routers remotely, point to lingering security problems that the tech industry needs to address before it connects every computerized device to the internet.
But we can draw one conclusion from the revelations available now: Encryption works. Otherwise intelligence agencies would not work so hard to compromise individual devices.
Thats an easy thing to overlook in, for example, a tweet from WikiLeaks suggesting that these exploits allow the CIA to defeat such encrypted communications apps as Signal or WhatsApp. Yes, they could allow the CIA to take over a phone and thereby log a users speech and touchscreen interactions but a CIA technician could also bypass Signals encryption by looking over a Signal users shoulder.
But without that compromise of an individual phone, the CIA cant snoop on a Signal chat.
The alternative to hacking into specific devices is to require manufacturers and developers to keep extra keys for cops. That was the focus of last years dispute between Apple and the FBIover unlocking an iPhone 5 used by one of the San Bernardino shooters: The Feds wanted Apple to write software that would defeat the lock on any iPhone 5, but Apple resisted and the FBI eventually paid a third party to hack into that particular device.
FBI director James Comey offered a reminder of that in a speech Wednesday in which he said there is no such thing as absolute privacy in America and called on tech firms to provide some way for law enforcement to access a locked device after getting a court order.
The prospect of the three-letter agencies targeting your phone can be scary, not least since they could probably do it. As security expert Bruce Schneier said at a May 2015 event in Washington, when the debate over whether to restrain the National Security Agencys bulk surveillance was nearing its end: If the NSA wanted to be in my computer, theyd be in it.
But, Schneier noted, that must be seen as a desirable outcome of encryption systems operating as designed: They make bulk collection infeasible and force the listeners to target.
More from Rob:
Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.
Continue reading here:
The real lesson of WikiLeaks' massive CIA document dump encryption works - Yahoo Finance
