Vault 7: CIA Bypasses Encryption Apps Used by Whistleblowers, Press

Secure text apps nearly worthless on targeted phones

Kit Daniels
March 7, 2017

The CIA can effectively bypass the encryption used in secure texting apps popular with whistleblowers and journalists.

Credit: Microsiervos / Flickr

By collecting audio and text messages on a targeted phone before they’re encrypted for another party, the CIA can effectively suck up the private data sent on Signal, Telegram, WhatsApp and other secure apps, according to the Vault 7 document dump by Wikileaks.

It’s a confirmation of a long-standing assumption that intelligence agencies intercepted data after it was transcribed on a keyboard but before it could be encrypted by software.

“The CIA’s Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones. Infected phones can be instructed to send the CIA the user’s geolocation, audio and text communications as well as covertly activate the phone’s camera and microphone,” Wikileaks reported. “…These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied.”

This is akin to having a burglar already inside your house who steals your valuables before you can lock them in a safe.

To sum it up, the effectiveness of these secure apps is undermined by the CIA-created vulnerabilities on affected phones.

  • A d v e r t i s e m e n t

These vulnerabilities include “zero day” exploits, which are named for the fact that the security holes are exploited before the community is aware of them on “day zero.”

“Zero day” vulnerabilities can exist naturally in buggy software; typically they can exist anywhere from three months to nearly three years before being recognized as a security threat.

“The CIA also runs a very…

Read more