Despite what you've heard, Signal and WhatsApp haven't been compromised.... yet
On Tuesday, WikiLeaks trumpeted the release of what they proclaimed is a treasure trove of damning CIA documents outlining the agency's portfolio of hacking tools. They call it "Vault7."
And then, in a few now-deleted tweets, WikiLeaks said the CIA can "bypass" encrypted messaging apps like Signal and WhatsApp, effectively implying users who believe they are safe communicating confidentially with these apps are vulnerable to CIA surveillance.
The cryptography community let out a collective sigh and rolled their eyes. Tech luminaries and privacy advocates have been working for years to get people to care about digital security, and the election of Donald Trump has inspired a new generation of activists to take up private messaging as an essential tool. People finally care.
The idea that the CIA has hacked these apps is false — the documents don't show that Signal or WhatsApp could be bypassed. As the New York Times pointed out, those apps aren't mentioned in the Vault7 documents at all.
"These aren't vulnerabilities in anything that we've developed," Moxie Marlinspike, the founder of Signal, told NPR.
The documents demonstrate the CIA has creative ways of getting around encryption by hacking into devices and phones (often by gaining total user access to the phone itself and all of its private data). This is information is nothing new, bordering on very old.
A colorful analogy, one among dozens of bad analogies for how cryptography works, might be the difference between sitting along a road and being able to swipe the goods out of any armored car that passes by, and pulling an elaborate heist wherein the attacker ends up in the driver's seat of the armored car without anyone noticing.
But what the CIA did do was remind us that using Signal alone isn't enough.
In order to protect your information, you need to have good "OpSec," or operations security. This means that no matter what tools you pick up, you need to be constantly aware of how to safely use them without slipping up, even once. After all, you can spend hundreds of dollars on a lock that keeps the door to your home safe from burglars, but that money is wasted if you leave your ground-level windows open, or if the key is just sitting under the welcome mat.
There are a number of ways to practice good OpSec for your devices. You can get a password manager that creates a myriad set of difficult-to-crack passwords for all of your accounts. You can enable two-factor authentication on your email and apps. You can be careful of connecting to strange Wi-Fi networks in public.
Without these kinds of protections, anyone sufficiently motivated can find a creative way to get around the encryption in your messaging app.
For now, though, Signal itself is safe so long as your smartphone is secure. "If anything, it was obviously embarrassing to the CIA that this information got out, but it's also somewhat embarrassing that this is their level of sophistication," Marlinspike said. "There's a tendency to sort of think, 'Oh my God,' you know, 'the CIA has these insane capabilities,' and I think the truth is somewhat different."
As for the vulnerabilities in the smartphones themselves — the kind that would allow hackers to view your encrypted messages — Marlinspike said they were less of a problem than some of the coverage intimated. "I would imagine that most of the things have already been fixed," he said.
When it's revealed that the CIA or National Security Agency has found a way to remotely break through the cryptography of a message in transit — not by finding a work-around, but actually decrypting information without the original key — it'll be a landmark accomplishment. Front-page news. Cause for serious alarm for activists, journalists and political dissidents worldwide.
But it hasn't happened yet.