CIA Leak Shows Mobile Phones Vulnerable, Not Encryption

from the and-cia-isn't-helping dept

As you’ve probably heard by now, this morning Wikileaks started releasing a new cache of information regarding CIA hacking tools. This is interesting on a variety of levels, but many of the reports focus on the claims that encrypted chat apps like Signal, Whatsapp and Telegram may be compromised. See the top two links in this screenshot:

Wikileaks itself may have contributed to this view with the following paragraph in its release:

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.

But the details don’t seem to show that those apps are compromised, so much as that Android and iOS devices are compromised. It’s always been true that if someone can get into your phone, the encryption scheme you use doesn’t matter, because they can just pull keystrokes or grab data before you encrypt it — in the same way that someone looking over your shoulder can read your messages as well. That’s not a fault of the encryption or the app, but of the environment in which you’re using the app itself.

And that should really be the bigger concern here. Over the years, nearly all of the focus on hacking mobile phones has been on the NSA and its capabilities, rather than the CIA. But it’s now clear that the CIA has its own operations, akin to the NSA’s hacking operations (kinda makes you wonder why we need that overlap). Except that the CIA’s hacking team seems almost entirely unconcerned with following the federal government’s rules on letting private companies know about vulnerabilities they’ve discovered.

Remember, the Obama White House put in place what it called a Vulnerabilities Equities Program in which the intelligence community is supposed to default to letting private companies know about vulnerabilities. And, yes, this was always something of a joke as there was a giant loophole involving “except for a clear national security or law enforcement need” that the NSA basically used to withhold vulnerabilities all the time. Still, at least the NSA appeared to get around to revealing some vulnerabilities eventually (probably once they were no longer useful).

Here, however, it looks like the CIA was hoarding some really serious vulnerabilities with wild abandon. In a chart released by Wikileaks you see that the CIA is getting these vulnerabilities from a variety of sources. Some it’s finding itself, some it’s purchasing, and some are shared via other agencies, such as the NSA or the UK’s GCHQ. As Ed Snowden notes, there is now clear evidence (which many suspected, but which had not been proven) that the US government was secretly paying to keep US software unsafe and vulnerable. That’s really dangerous. It’s putting basically everyone in much more serious danger, just so the CIA, NSA and others can get in when they want to:

This is why the whole conversation about mandating backdoors and “going dark” was so dangerous in the first place. Those were plans to force even more of these vulnerabilities into the wild, just for the very very rare cases where they were needed by law enforcement or intelligence.

At a time when the President is suddenly acting as if he’s concerned about domestic surveillance (at least of himself), perhaps now would be a good time to crack down on this kind of stuff. I’m not holding my breath — but, for now, we’re getting a lot more insight into the CIA’s electronic surveillance methods, and it sounds like there’s more to come.

Filed Under: , , , , , , , ,
Companies: wikileaks

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “CIA Leak Shows Mobile Phones Vulnerable, Not Encryption”

Subscribe: RSS Leave a comment
70 Comments
Anonymous Coward says:

Re: Re: Re:

well, let me refresh you memory, mr masnick. shyster bill gates was paid for nsa back doors in windows 95. they even helped him monopolize market. that is how we ended with that crap being no 1 os. so much crap, bill gates prohibited use of it on own ms servers in redmond.

the problem i have with that, not only nsa cia but chinese and russians can exploit as well. case in point is hacked opm personnel files.

Mike Masnick (profile) says:

Re: Re: Re: Re:

well, let me refresh you memory, mr masnick. shyster bill gates was paid for nsa back doors in windows 95. they even helped him monopolize market. that is how we ended with that crap being no 1 os. so much crap, bill gates prohibited use of it on own ms servers in redmond.

None of that has anything to do with this story.

So, once again, I’m asking why you would blame Silicon Valley for this story?

Mike Masnick (profile) says:

Re: Re: Re:3 Re:

It has, they prostitute themselves for a change.

Bezos and wikileaks servers, does that ring a bell?

Sure. But none of that has anything to do with this story. That’s what I’m asking about. Throwing out random bad behavior by Silicon Valley that has absolutely nothing to do with the story above doesn’t make your point. It makes me think you have no point.

Football says:

Methods? We KNOW it's going on, don't need details. It's what SPIES do. This is distraction with no action, mere kibitzing. Just what "they" want.

Methods? We KNOW it’s going on, don’t need details. It’s what SPIES do. This is distraction with no action, mere kibitzing. Just what “they” want.

Apparently, from lack of mention here, you’re okay with the CIA fomenting civil war in Syria, supporting actual terrorists who used the chemicals (and you believe the NYT claiming that was Assad), but OMG, my precious app is compromised!

What the hell do you think “smart” phones are for except a 1984 telescreen that you voluntarily carry around everywhere? We are IN the dystopian future, kids.

Basic problem is the uncontrolled deep state — and you’re siding with it against Trump! I suppose here at Techdirt, you’ll deny that even exists, still believe that the Russians (with their puppet Trump) are the threat, not the 850,000 spooks in “Top Secret America”.

Now, I bet’s there’s zero agreement to my points from Techdirt regulars, this is such a WEIRD site compared to The Register, so have at it.

Wendy Cockcroft (user link) says:

Re: Methods? We KNOW it's going on, don't need details. It's what SPIES do. This is distraction with no action, mere kibitzing. Just what "they" want.

Nobody is siding with anybody, Football. People have no obligation to agree with you to prove they’re normal, either. Off you trot, now. Back to the Register where you feel more at home.

Anonymous Coward says:

Paying?

As Ed Snowden notes, there is now clear evidence[…] that the US government was secretly paying to keep US software unsafe and vulnerable.

What am I missing? The image shows government agencies buying IOS vulnerabilities, but it doesn’t say they’re paying Apple or other software companies to add backdoors or avoid/delay patching vulnerabilities. Is that what you’re implying? I’d have assumed they were paying third-party researchers who’d lack the influence to "keep US software unsafe".

Anonymous Coward says:

Re: Paying?

“Paying” for vulnerabilities usually also includes buying the silence of the individual/organisation who have discovered the vulnerability. Therefore preventing the notification of the vulnerability to the software maintainers. Therefore in effect paying to prevent the vulnerability from being fixed.

Ninja (profile) says:

Vulnerabilities will exist regardless of how good the makers are at upgrading their systems. Android environment is particularly plagued with updating issues given its fragmentation. My phone is still within those receiving patches for critical security issues within 3 months but that until the manufacturer decides to pull the plug. And it will eventually. Of course it would be good if vulnerabilities were brought to light and fixed asap. But the CIAs of the world are not the problem, rather, the lack of updates that patch critical problems that are eventually uncovered is.

You can install whatever OS you want on your computer, why shouldn’t this apply to mobile computers, er, phones? I’d gladly install directly from Google. Heck, if you make things easier you’ll also spawn a healthy market for alternative OS developers where we all win in the end.

Anonymous Coward says:

Re: Re: Re:

For anyone who cares about security there iOS is sadly the only option.

Wrong.

Most users use icloud to sync backups. No encryption.

icloud accepts logins, and downloading of iphone backup files from any geographic location. No google-style geofencing/someone-tried-to-login-to-your-account-from-russia protections.

Those backups are hosted on multiple third-party cdns, not apple owned servers. Prism anyone?

Apple does NO RATE LIMITING for login attempts. So brute forcing an icloud account is Script kiddie easy. (No one uses 2FA on Apple)

Google “icloud api download backup”. See how easy it is to loop a password dictionary onto a login() with some of those libraries.

Some of these icloud APIs also parse the files in the backup and extract messages from ‘secure’ apps. (Most messaging apps can tag files as do-not-include-in-backup but don’t)

So to securely message someone, BOTH iphones need a secure app, and BOTH need to have icloud sync turned off.

And that’s ignoring the built in baseband backdoor and silent ios update service.

Anonymous Coward says:

Re: Re:

The more complex Linus ecosystem, where the distros have to keep tabs on security updates by following mailing lists etc., has little trouble in getting security fixes out to their users within hours of a patch being published. The problem with patches in the Android ecosystem has more to do with the bureaucracy of large organizations, rather than any testing and distribution problems.

Anonymous Coward says:

Re: Re:

“You can install whatever OS you want on your computer, why shouldn’t this apply to mobile computers, er, phones? I’d gladly install directly from Google. Heck, if you make things easier you’ll also spawn a healthy market for alternative OS developers where we all win in the end.”

Android has plenty of OS developers modding Android (and keeping up to date with security fixes).

An example is Cyanogenmod, I used to run that on my previous android phone when Motorola pulled the update plug (much preferred it to the stock firmware anyway).

My new phone is still under warranty but when that is up Samsung’s crappy bloatware laden OS will be replaced by Cyanogenmod.

The Wanderer (profile) says:

Re: Re: Re:

CyanogenMod as such doesn’t exist anymore; the company pulled the plug on it on December 25th, 2016.

The development community have migrated over to a fork called LineageOS; the development, build, and release patterns are a little different, and the process of migrating from CyanogenMod to LineageOS isn’t as clean and simple as could be hoped for, but the result seems to be just as good overall as CyanogenMod was. (At least so far.)

Anonymous Coward says:

Re: So...

Neither since the election was not hacked.

The DNC did a lot of shady things.
That is what cost them the election.

20 years ago we would have called this “Investigative Journalism” but today we call it hacking because that sounds spooky and evil.

Stop allowing the DNC to focus the wool around your eyes on the method of revelation instead of the actual revelations.

Thad (user link) says:

Re: Re: So...

Stop allowing the DNC to focus the wool around your eyes on the method of revelation instead of the actual revelations.

Some of us have the ability to hold more than one thought in our head at a time.

(Some of us even have the ability to use metaphors correctly. "Focus the wool around your eyes"? What does that even mean?)

James Anderson (profile) says:

Re: So...

Dear Anonymous Coward, 7 Mar 2017 @ 12:53pm
Probably both it is not clear. Keeping an eye on elections seems to be a worthy activity. But if US intelligence organizations are hacking US elections then whether the US is still a democracy is at question. The various intelligence organizations each have it’s own specialty. The NSA does signal intelligence for example. The FBI has a domestic and Latin American emphasis. Keep the faith and the courage to ask the hard questions.

aStepForward says:

On the Plus Side

On the plus side of things, with this recent leak which alleges to include source code, now Alphabet, Apple, HP, IBM, Microsoft and all the app developers now know what holes to plug in their code.

Between now and then be wary, but in a few months expect many patches for every Operating System and App devs and more push back from tech companies against government(s) efforts to stifle their speech when it comes to alerting consumers that the government agencies are in reality doing things that could impact their daily lives.

Wikileaks, helping foreign adversaries bring down democratic nations one leak at a time or helping individuals take back their individual freedoms one shitty leak at a time, only future historians will know that outcome.

anti-antidirt (profile) says:

Think of all the possible ways they can get your messages without actually breaking encryption.

Yeah. A lot. The paradigm of technology and security needs to change.

On Android, when you install a 3rd party keyboard, you’ll get a notification about how the developer can intercept what you type (SwiftKey anyone?).

When something new is around the corner, security should be paramount, not an afterthought once we realize it’s broken.

I don’t think there is enough black electrical tape in the world for every cell phone and webcam.

Thad (user link) says:

Re: Re:

Yeah, there are a lot of reasons why security simply isn’t the fundamental priority in software design that it should be. I’m hoping that, now that we’ve got languages like Rust and Go that can match C’s performance without adopting its 1970-vintage approach to memory management, devs will start slowly making the transition, but a fully-functional OS based on those foundations is a long way off.

(When was the last time a new, built-from-the-ground-up OS got a foothold? Windows NT? I don’t think we can count OSX (based on FreeBSD) or Android or ChromeOS (both use the Linux kernel), and lesser-used OS’s like Blackberry, WebOS, BeOS, and Tizen all seem like also-rans.)

I think we’re likely to see formal verification start to be adopted for highly secure, special-purpose OS’s, but by its nature it’s incredibly labor-intensive and has serious issues with scalability.

Meanwhile, thanks to Android and the IoT, Linux-based OS’s have proven not to be nearly the secure workhorses in consumer electronics that they are in the server market. Torvalds and the other core kernel developers have always focused on compatibility over security, and that’s not likely to change. And honestly they kind of have a point — it doesn’t matter how secure you make your kernel if some jackass is going to stick it on a router that uses a hardcoded root password and an open telnet port and call it a day.

Eldakka (profile) says:

Re: Re:

On Android, when you install a 3rd party keyboard, you’ll get a notification about how the developer can intercept what you type (SwiftKey anyone?).

That’s sorta how keyboards work.

If the keyboard can’t intercept keystrokes (what you are typing), then the keyboard won’t function. If it’s not allowed to intercept keystrokes, it can’t receive input from the touchscreen and then translate that into a keystroke (a, b, c…) to be sent to/from the application that’s using the keyboard (browser, SMS app, etc.).

The problem arises when a keyboard app can:
1) intercept keystrokes (i.e. do its job);
and
2) access communications interfaces (bluetooth, 3/4/X/G, USB, thunderbolt, IR, WiFi).

Therefore a developer of the keyboard, in addition to legitimately intercepting the keystrokes, could also illegitimately forward those on through the communications interfaces.

Of course, there are legitimate reasons for forwarding on the keystrokes – cloud-based handwriting/voice recognition, and so on.

The Wanderer (profile) says:

Re: Re: Re:

Even not permitting a keyboard app access to network communications doesn’t protect against keystroke surveillance entirely.

If you permit it to access storage, and then the people behind it get another app onto your device which does need to access both network communications and storage (such apps being far from uncommon), that app can transmit a stored record of keystrokes.

Anonymous Coward says:

I posted a comment similar to this last week but in light of this I’ll post again. How exactly is Congress or the POTUS supposed to keep the intelligence community accountable? If someone had the info to destroy you (and if they don’t, these leaks show they’re able to fabricate it and cover their tracks) how effective would you be in governing them?

Information is power. Who has the most information? The IC does. So where does the real power lie? With Congress or the group who literally has the information (real or not) to bring any individual or nation down? If you don’t play their game, do you think they’re going to let you get in their way? I guess you could ask Kennedy… Kind of fitting that the password to these documents was a quote from him.

There seems to be a lot of turmoil in the upper echelons of the US government. It’s almost a civil war but it’s all happening behind the scenes. It’s an internal power struggle, and they’re trying to keep up the facade on the whole charade. Interested to see what happens I guess, but I don’t think it’ll be to any of our benefit.

Thad (user link) says:

Re: Re:

The comment about Kennedy veers a little too much into conspiracy theory territory for my tastes, but your point is well-taken. I think far too many people have been ready to praise leaks that serve their own political interests and condemn ones that serve The Other Guy’s, without actually evaluating where they’re coming from and what they mean. (See our metaphor-mixing anonymous friend upthread who insists that it doesn’t matter where the DNC leaks came from, it only matters what was in them — as if it’s not possible for both things to matter.)

The enemy of your enemy is not your friend. There’s no contradiction in thinking that the DNC behaved unethically while also believing that Assange, Putin, et al do not have our best interests at heart in obtaining and publishing Podesta’s emails. Similarly, we’re currently seeing a battle between the White House and the CIA, and between the CIA and the Russian government. Anybody who’s looking for a good guy to root for in any of those conflicts is missing the point. It’s like the poster for Alien vs. Predator: whoever wins, we lose.

Thad (user link) says:

Re: Re: Re: Re:

Sorry, I assumed that when you said “If you don’t play their game, do you think they’re going to let you get in their way? I guess you could ask Kennedy…” it was an allusion to the theory that the CIA was responsible for his assassination, not that you were referring to typical and well-documented tensions between the White House and the IC.

Anonymous Coward says:

Re: Re: Re:

Yes I delved a little too far into things that I can’t prove lol, but as you said, the point still stands. I think if you look into the CIA’s history you will see they are really not deserving of the benefit of your doubt and I have been getting really frustrated with the amount of trust people across the world have in their respective governments.

I agree that people have a huge double standard when it comes to their “teams” and I’ve already seen a lot of people seem to think it’s okay that CIA does this because it’s their “job” and they’re “keeping us safe” by doing this when in reality the purpose is often self serving. It is a fact that they have covertly toppled governments and installed dictators friendly to the economic rape of their country by US corporate interests. And they expect me to trust them? The biggest example of team mentality is obviously Republican vs Democrat. This is a false choice being presented. It’s like a parent asking their kid “would you like peas or carrots with dinner?” Doesn’t matter which one they choose. They’re eating their vegetables without realizing they were tricked into thinking they had a choice. Many people think the only choices they have are the ones presented to them.

We as a people need to realize the things we argue about are relatively petty. We are not each other’s enemy. Everyone has the exact same needs: food, water, shelter, love. But we are intentionally pit against each other on a multitude of nonsense issues. We are asked to pick between two bad things then asked pick sides and don’t forget to ridicule everyone who didn’t pick your side. The government is not on your side and it is our responsibility to keep it in check. A responsibility we have abdicated in favor of letting authority and so-called experts do all of our thinking for us.

The intelligence community has concentrated an immense amount of power and I’m not sure of the amount of control our elected body has over that power.

Anyway, feel like I’ve hit way too many subjects, so I’ll sum it up with what you said: whoever wins, we lose.

Anonymous Coward says:

Re: Re: Re:

Again do they? I know they are supposed to. Did you know the department of defense doesn’t know what they did with $6.5 trillion? The Government Accountability Office has a report that basically states that large portions of the federal budget are completely unauditable. To me it almost seems like they can’t control how much money they’re spending as evidenced by the massive and omnipresent debt. Not proof of anything but it’s at least something to think about.

Anonymous Coward says:

If your interested in security go look at Qubes OS. Its not for phones, but they are looking at security all the way down to the hardware on the system.

Qubes is a virtual machine based OS that allows you to segregate everything you do into separate VMs. This means that if one get hacked or infected the others wont, or at least it is less likely. Also, at least the people behind the OS, look at the whole system to try and make even the hardware more secure from things like BIOS infection.

https://www.qubes-os.org/

Anonymous Coward says:

Re: Re:

This is exactly the kind of thing the developers of Qubes are interested in. Now there is nothing they can do with Qubes on a system that has that vulnerability, but they are pushing for system that have more of an open system so that can be found, or hardware that deals with the in some other way.

That’s why I like Qubes, the developer are interested in fixing the whole system, not just on part. Supporting Qubes OS will hopefully can help that goal.

Thad (user link) says:

Re: Re: Re:

Same as any other free/open-source project: you can’t know for sure, but between the ability to audit the source code and the wisdom of crowds, it’s a lot easier to verify the security than it is with a proprietary project.

(It does appear that Qubes has some optional proprietary components for running Windows VMs. Those do not benefit from allowing users to audit their source, though of course neither does Windows itself.)

Anonymous Coward says:

I know one article elsewhgere says that in the newer cars, they spy on you through the infotainment system. That is one reason why to buy a model where you can replace the factory infotainment system with a different stereo.

You cannot do this anymore with Ford, GM, BMW, or Chrysler vehicles, but you can replace the infotainment system with a third-party model on Toyota.

That is why my next car is going to be a Toyota, where I can replace the infotainment system with a car stereo of my choosing where the CIA, and the like, cannot spy on me.

The CIA cannot spy on a JVC KD-series stereo unit.

If you want to keep the government out of your car stereo, get a Toyota, where you can replace the factory system with a system of your choosing.

Anonymous Coward says:

Presidental concern

At a time when the President is suddenly acting as if he’s concerned about domestic surveillance

I do not believe for one red hot second that President Trump is all that concerned. It was just a handy dead cat to throw on that table to distract from other issues, either current or just about to come up.

And the press, bless their hearts, fell for it.

Again.

Mark Wing (user link) says:

I’ve been trying to envision what a secure OS even looks like. Assuming you have a clean OS to start with, I think you take away most of its attack surface if you don’t allow for new code to be introduced to the system via updates, installed apps, etc. Make all code execute from read-only memory burned onto an EPROM at a factory you trust, and have the whole damn thing sealed in epoxy.

Either way updates and installed apps are the Achilles’ heel of any OS. Every point of trust is a point of attack, which means endless attack vectors to me.

So I think trusted computing will definitely need to be done from the silicon up, using more robust OSes built from more robust programming languages, with better sand boxes, as others here have already suggested.

But still I think the low hanging fruit to trusted computing lies in reducing the number of people/entities you HAVE to trust to use your device effectively, to as close to zero as you can get it.

Right now I’ve had to trust probably hundreds of companies (including AT&T and Frontier) and thousands of people just to look at dog memes on the internet. And at any given time, I don’t even know that the people I’ve given trust to are actually the people I think I trust, and not some man-in-the-middle attack feeding me malicious updates.

At this point, putting back doors in encryption would just be a cherry on top of something that already has a near-infinite attack surface; a big middle finger to anyone who thinks they have privacy.

Anonymous Coward says:

Re: Re:

The best way towards trusted computing is to have completely open source computing, as that way the providers of software do not know who is auditing their code. A closed, single source for your software leaves you trusting a large corporation, and we all know how much those respect the individuals rights.

Mark Wing (user link) says:

Re: Re: Re:

Open source OSes should absolutely be the rule. But let’s suppose you download the source from the official site and compile the OS yourself onto your hard drive.

First off, how do you know it’s the official source or even that you connected to the official server? Web sites, downloads, hashes, etc., can all be spoofed. Hashes have their own attack vectors, and how do you know someone didn’t slip something subtly malicious into the official source? How do you know you’re even calculating the hashes correctly? Are you going to verify the source and/or hashes line-by-line with your eyeballs?

Secondly, how do you know that your “pristine” install wasn’t tampered with while you took your dog for a walk? It’s pretty easy to get code onto most devices if you have physical access. The new fox in the hen house will then happily report that there are no foxes in the hen house.

My point is that trusted computing is currently a Pandora’s Box of mistrust. How do you trust your compiler, or the compiler that compiled your compiler, or even the hardware the compiler compiled your source code on? The rabbit hole goes pretty deep.

Anonymous Coward says:

You Can't Hack Math

The degree of difficulty of a brute-force hack of any particular encryption algorithm does not vary. If the strength of the algorithm places it beyond the capacity of contemporary computability, it’s safe.

If what you’re encrypting is WAY less valuable than the cost to decrypt, you’re safe (unless you piss off an orange with a tweet).

The imperfections of any specific implementation of a particular encryption algorithm on the other hand… The question becomes one of how much you trust the implementer of the algorithm to look out for your interests.

Hardware and software providers make promises. I like to think of these promises the same way I think of the expression "stainless steel" – more of a fond wish than a lifetime guarantee.

Thad (user link) says:

Re: You Can't Hack Math

The degree of difficulty of a brute-force hack of any particular encryption algorithm does not vary. If the strength of the algorithm places it beyond the capacity of contemporary computability, it’s safe.

Well, safe from a brute-force attack. Not safe if you accidentally give your password to a phisher, or install an app with a privilege escalation vulnerability, or any number of other possible attacks.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...