Latest WikiLeaks on encryption bypass


#1

Insights, comments, other on this claim??
"WikiLeaks release said that the C.I.A. and allied intelligence services had managed to bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram. According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect “audio and message traffic before encryption is applied.”


#2

What's the source for this?


#3

Washington Post lead article today, just published:


#4

well if it's true (documents can be faked as the article says) then it seriously damages the reputation of encryption apps. I am particularly shocked it mentions Signal and Telegram. I hope they issue a statement soon to address this.

Then again, it could be a misinformation campaign by the CIA to undermine confidence in encryption apps. The CIA could have leaked the documents to Wikileaks themselves, making people doubt these apps.


#5

Well yeah, if you get a computer to run a program that does what you want, rather than what its designers intended or its owner expects, then end-to-end encryption doesn't protect that device owner. That's why it's called end-to-end encryption. It has to end somewhere.

Compromising a computer is fundamentally different than breaking an encryption protocol or an encryption primitive.

It is unsurprising that the CIA has found or bought numerous flaws in common consumer operating systems, such as Android and iOS.

Computers will never be fundamentally secure, because their most important benefit is that they can run any program, even programs that haven't yet been written. This is why we use computers and why they make us so productive. Operating system designers come up with all sorts of clever ways to try and allow the user to run any program they desire, while also preventing unauthorized people from doing so, but ultimately all of these defenses are just compromises, at best. A truly secure computer wouldn't be Turing complete, meaning that it would not be able to run any program. A walkie-talkie radio, for example, is not programmable, and is therefore secure. The trade-off is that it can only do one thing well.

Breaking an encryption protocol or primitive (cryptanalysis) is not like getting a computer to run a program that its owners and designers did not expect or want. When people break an encryption protocol or primitive, they are dealing with the cipher text that is traveling over the wire (or which is broadcast into the air).

Broadly speaking, cryptanalysis is about pattern recognition. Although encryption protocols and primitives are periodically broken through cryptanalysis, this is both more catastrophic and much rarer than the discovery of exploitable flaws in computer operating systems, which happens nearly every day.

Breaks in well-reviewed and trusted crypto protocols are much less frequent. The life span of a well-reviewed and trusted crypto protocol, block cipher, or hash function is closer to ten or even twenty years.

Nothing in Wikileaks' statement or the Washington Post article remotely suggests that the CIA has broken the encryption protocol in Signal and WhatsApp. In fact, the article says exactly the opposite:

"In its news release, WikiLeaks said the files enable the agency to bypass popular encryption-enabled applications — including WhatsApp, Signal and Telegram — used by millions of people to safeguard their communications. But experts said that rather than defeating the encryption of those applications, the CIA’s methods rely on exploiting vulnerabilities in the devices on which they are installed, a method referred to as “hacking the endpoint.”

Also, this dump is made up of documents describing exploits, rather than exploits themselves. There's one Python script in there, but it just mirrors what's going on on the target machine. The exploit is the unlocked window that no one knows is unlocked, but this Python script is the bin you put the silver in on your way out. Fundamentally uninteresting. All of the actual exploits described here weren't dumped, as far as I can tell, so either: they weren't exfiltrated by the leaker, or Wikileaks just kept them or handed them over to someone else.

If you browse through the list of tools, you'll notice that a lot of them require physical access to the target device. There are some RCE (remote code execution) tools described here, but a lot of these tools look like they are designed to take advantage of momentary physical access to a target device, which makes sense for a HUMINT outfit like CIA.

Basically, there's no reason to freak out about this dump. The real question is cui bono?


#6

. . .

Great clarification thanks Ethan.

Who benefits? You mean from leaking all this stuff to Wikileaks?

The CIA, possibly, by encouraging counter-snoops off the interwebs and back into the HUMINT area.

Or did I misunderstand your question?

. . .


#7

Great clarification thanks Ethan.

Cheers :slight_smile:

Who benefits? You mean from leaking all this stuff to Wikileaks?

Yes, exactly. Someone leaked this to shape the public narrative. It could be someone at CIA, or some other group (possibly a foreign intelligence service), that was able to steal this information from CIA, and then chose to leak it through Wikileaks. If it's the latter, then that group decided to burn whatever access they might have obtained in the process of stealing this information (since CIA will now investigate the breach), in exchange for the publicity of leaking this.

From a layman's perspective, this doesn't seem like a leaker at CIA. This dump describes exactly the sort of thing that one would expect the CIA to do. The headline here is about as shocking as "DOJ prosecutes people, news at 11."

You could make the argument (and Snowden has, on Twitter), that CIA shouldn't be hoarding exploits, because leaving them unpatched makes those computer operating systems less secure. While this is technically correct, there are so many vulnerabilities in computer operating systems, which are made up of millions and millions of lines of (rapidly changing) code, it's hard to argue that patching vulnerabilities alone is going to make people safer, especially since other nations' intelligence services are not going to disclose the vulnerabilities they have discovered. One possibility is for the US government to just throw money at the problem by buying exploits and patching them, but I'm not convinced this will work. Other governments will still need exploits for espionage purposes, so they can pay researchers with security clearances to find vulnerabilities and develop exploits. Those people won't be able to participate in a hypothetical U.S. funded global bug bounty program, because they would be committing espionage by doing so and would be vulnerable to prosecution by their own government.

So anyway, that's a roundabout way of saying: the leak is boring. Who leaked it and why?


#8

Genuinely excellent and insightful points as usual, Ethan! You should write a book!! Thanks for commenting!

Purely speculative, and likely incorrect but I wonder if the CIA itself leaked the info because (to the casual reader) the implication is "You can't hide from us behind encryption" and the possible conclusion is "so don't bother to use it".


#9

Personally, I don't think this is terribly likely. Exploits just don't scale in the same way that a broken or backdoored crypto primitive can. The more that an exploit is used, the more likely it is that it will be discovered, and the operative vulnerability patched. So, you can't just hack every Windows/macOS/iPhone/Android user on the planet with these tools, without exposing them and rendering them useless.

This means that using end-to-end encryption is a good idea even though operating systems contain vulnerabilities, because you can't hack everyone all the time without exposing your method and breaking your own access. Exploits are like magic tricks: once you know the trick, you've killed the act, because anyone can do it and the audience sees it coming (and it gets patched).

If you have a break or a backdoor in a crypto primitive or protocol, then you can decrypt traffic passively, over the wire, without a trace. This is the truly scary capability. Nothing like that is in this leak. It's just a bunch of documents that describe hacking tools that aren't even included in the dump.

So, unless this story is reported in an irresponsible way (cough hello Guardian), then people won't conclude from this leak that they shouldn't use Whatsapp or Signal, which they totally should use.


#10

Boring?

Perhaps to someone familiar with such things, but dismissing this leak as just-what-they-do is just ... a ... little .... sophist, at least for my tastes.

On that basis, journalists might as well have not published the Pentagon Papers, because, heck, that's what the military does, doesn't it? Kill people and waste billions of dollars?

The suggestion here is that it's not the CIA, and that someone is benefiting from the leak. There is a third possibility, to which Occam's razor may or may not apply - that out of the 5,000 people given access to these tools, an increasing percentage grew increasingly uncomfortable with what these tools were set up to do (spy on foreigners, legally), and what they ended up being used for (spying on domestic targets, illegally).

Within a country exposed to almost Stalinist levels of oath-making and flag waving, an allegiance to defend against all enemies "foreign or domestic" may be kicking in at deeper levels than even deep state protagonists appreciate?


#11

Sure, and if these tools were used against domestic targets, or were used inappropriately against foreign targets (politicians of U.S. allies, journalists, civil society organizations, NGOs, attorneys, or ordinary people with no connection to espionage or diplomacy), then that would be a huge story.

That's not what the leak is, though. It's a bunch of manuals for using hacking tools, many of which require physical access to the target machine. This is one step above leaking the CIA's lock picking guides.


#12

um,

heard of the GCHQ?


#13

Where is the document that shows this tool was used to spy on journalists and human rights groups? This is just a screencap of Wikileaks' website, annotated by Snowden.

If there are documents in there that show that, I would be very interested to learn more. I skimmed the dump, so if that's documented in there, that would be huge.


#14

Oh. Right.

GCHQ got millions of lines of code, and having successfully had laws pushed through to allow it to spy on anyone in the UK, or indeed anywhere on the planet, which it may or may not share with its security partners, left them all on the shelf.

Nothing to see here. Move along?


#15

I think we're having a miscommunication. I am not saying that allied foreign intelligence services do not swap info as a backhanded way of looking at domestic targets, or that foreign intelligence services haven't done, or don't currently do things that are difficult to reconcile with liberal democracy.

I am saying that this dump is only a list of tools, as far as I can tell, and that these are tools which one would expect the CIA to have and use.

We might agree that some foreign policy or other is reprehensible, but "omg the military has guns and missiles" is not a particularly shocking revelation.

Espionage happens.


#16

Fascinating and informative conversation! Not being sophisticated in crypto (or IT for that matter), I'm following this with considerable interest. Frankly, I don't expect to read anything insightful in the general press, so I'm hoping to learn more here and maybe "The Intercept".


#17

Pardon my tone!

Just trying to get my head around this all. Hmmm, and as I typed that, my Android standby (actually Spotify player, and that's it) spontaneously restarts. Hmmm ...

Anyhoo, same as KAC, I'm no IT type. But taking a step or two back, if the argument is that documents showing use of the code by an agency would be 'yuge' i.e. a smoking gun, then perhaps we can agree that we've certainly been shown the gun, even if there is not yet any evidence we've seen from Vault7 that denotes actual smoke.

Short of governments abandoning national security secrecy protections, however, we may never get what your argument seems to demand - actual signed off documents showing who, what, when etc. Preferably with accompanying video, unblurred, showing phone calls up the chain of command to "God bless America."

What we do have is extensive documentation from other leaks and exposes, stretching back decades, showing that the CIA and partner agencies have used these methods and more, and have argued strongly for more and more legal and financial capacity to do more and more of the same, but better.

As you say, "espionage happens", so forgive me for not dismissing this as just a step above popping a lock on the bicycle shed. If it is, what a lock, what a bicycle, and what a shed.


#18

Jason,

I assume (as does everybody who's devoted a moment's worth of attention to the matter that any online material is subject to examination and exhumation by commercial and non-commercial entities. For instance, Facebook extends "ownership" claims to posted material, tracks user web activity and engages in other privacy invasions I don't support, so I don't use it or any other social media for that matter (this forum excepted). I also assume that various law enforcement and data-mining companies routinely data-mine internet content and they use what they find for other purposes. Finally, I assume that if enough people routinely use encryption, it's harder to separate the "wheat from the chaff" (to use a tired phrase). Widespread adoption of this prudent and increasingly simple, available precaution indirectly extends protection to journalists and others who actually need it.

Getting back to the original WikiLeaks material (which I've not read and probably wouldn't understand anyway), I suspect that various agencies are using these and other methods to obtain information on targeted communications. I don't think a "smoking gun" is needed to confirm that: just, for example, look at IMSI catcher use by law enforcement, PRISM, X-Keyscore, etc, etc, etc. If you're a "person of interest" to government agencies, you'd best have the expertise of Ethan or Snowden at your command...or you're screwed.


#19

Thanks, but I'm not an expert. I'm about as knowledgeable and capable as an entry-level undergraduate summer intern at a mid-to-large tech company.

Unfortunately, the software engineering and journalism worlds don't mix much, so people from outside of tech often have some trouble accurately assessing an individual's level of technical skill.

The only thing that differentiates me from your average CS intern is that I have some experience working by with and through at risk users (activists). Other than that I'm afraid that I'm well below average, skill wise.

Sorry to disappoint :slight_smile:

If you want to talk to an actual badass, go ping Adam Langely or Morgan Marquis Boire.


#20

Ethan, you're too modest. I know Morgan is with "The Intercept" and I expect an article on this material will be published soon. Who is Adam Langely? A search turns up some people who probably aren't the guy in question.