As alarm bells sound around the latest document dump from WikiLeaks, misinformation can spread like wildfire. Journalists are just starting to pore over the files, but a number of security researchers and privacy advocates are hoping to quash the misconception that encrypted chat apps like Signal and WhatsApp have been compromised.
A now corrected tweet by The New York Times seems to have set some of this speculation in motion.
“I think a lot of people look at the headlines from this morning and think ‘Oh well, I shouldn’t use those apps,'” Ross Schulman of the Open Technology Institute explained in a call with TechCrunch. “What is actually true is that those apps are really important for people to use, they protect a lot of people.”
What is actually true is that those apps are really important for people to use, they protect a lot of people. Ross Schulman
The main distinction here is that if a device like your smartphone is compromised, say through malware in iOS for example, no amount of encryption can make it safe again.
“There’s nothing that the app can do, it has to decrypt the message in order for you to read it, otherwise it would be kind of useless,” Schulman explains. “And when that happens, that’s when malware on the computer or on the handset can kick in and read the plain text just as well as you can.”
In spite of the misconceptions, some in security still see the WikiLeaks Vault7 data as a wake-up call for those who don’t yet take privacy seriously. “Signal, WhatsApp and other encrypted messaging services are still functioning exactly as originally intended as the hackers aren’t ‘breaking’ that encryption,” Ajay Arora, CEO and co-founder of security firm Vera, told TechCrunch.
“Security is all about a series of layers concentrating on depth and breadth. The encryption of the apps themselves isn’t what’s in question and people who want to continue to use their favorite apps, should. However they should also consider other measures of security, as there is no one silver bullet to solve all security issues.”
According to Joseph Hall, chief technologist for the Center for Democracy & Technology, the WikiLeaks files do not appear to contain any evidence that apps like Signal have been compromised. “It’s one of these unfortunate collisions of a whole lot of data and a whole lot of interests all at once,” Hall told TechCrunch. “There’s nothing that seems to indicate that the crypto is broken.”
Hall thinks the documents might contain some interesting details that further confirm ongoing concerns around the kind of poorly secured IoT devices we bring into our homes, but the worry over Signal is misguided. “They seem to be getting into the devices before the encryption is applied,” Hall explains.
If the CIA (or anyone else) gains access to your device, it gains total control. Hall explains how this would work with hypothetical spying malware:
“They can install a little thing that can take a picture of your screen every half a second or something like that. And that would be pretty useful for one reading anything that you type into one of these encrypted messaging apps, but also reading anything you read in these encrypted messaging apps. It’s not just about your messages but about anyone you communicate with as well.”
Ultimately, encrypted apps like Signal remain one of the most robust ways to protect your private communications — today’s WikiLeaks news didn’t change that.
“Unfortunately, you have to keep very, very good control over your phone,” Hall said. “There’s just no perfect answer in terms of being 100% unexploitable by these powerful, powerful governments.”