When was the last time you heard about “Wikileaks”? This time the organization, famous for leaking important official government documents and files, has leaked a plethora of US based Central Intelligence Agency’s data.
Codenamed “Vault 7” the data includes more than 8,700 files that are claimed to be from the CIA itself. Of course the information hasn’t been verified so take this with a grain of salt.
Wikileaks claims that CIA lost control of an important archive which contained information about how they hack devices. The data got into the hands of former US government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.
Devices CIA can Hack
If the reports are true then CIA can hack devices ranging from:
- Android phones
- iPhones
- Smart TVs (the report mentions Samsung TVs specifically)
- Routers
- Windows and Linux computers
- Mac computers
CIA Can Read Your WhatsApp Messages
Another important revelation by Wikileaks was that the CIA can read your WhatsApp messages before they get encrypted. That’s right, the end-to-end encryption doesn’t deter CIA at all. This is because if CIA hacks your phone, they can have access to anything they want. Doesn’t matter if your messages are encrypted, if CIA can read them while you type them or read them yourself, end-to-end encryption is pretty much useless.
Keep in mind, WhatsApp, Signal and other apps were not hacked, its the OS that is the issue, as Edward Snowden points out:
PSA: This incorrectly implies CIA hacked these apps / encryption. But the docs show iOS/Android are what got hacked – a much bigger problem. https://t.co/Bw9AkBpOdt
— Edward Snowden (@Snowden) March 7, 2017
The OS is At Fault
Keep in mind that this doesn’t render encryption itself obsolete. The encryption stops the messages from being read after they are sent from your phone. It helps stop hackers from siphoning through public internet to read private messages.
The problem here is the OS and not the apps with both Apple’s iOS and Google’s Android being hacked by the CIA.
According to the reports, CIA hacked the above mentioned devices in a myriad of ways including:
- malware
- viruses
- trojans
- zero-day exploits (security flaws in an OS which the manufacturer doesn’t know of, so they haven’t been fixed)
Problems May Have Been Fixed
The documents cover CIA’s program from 2013 to 2016. It is yet unclear whether the CIA still uses the same methods to hack these devices or not. The OS versions were also not specified so it is possible that some of the zero day exploits and issues may have been patched out.
Via CNet
Windows phones are safe?
Yes I Love LUMIA
I think encryption on phone-level can play a big role here.
phone-level ??? when the whole operating system is designed by google. i think not.
Why don’t you try reading a little? It affects iOS also, as well as Smart TVs (with our without Android). Nothing to do with Google here.
well. I’ve read alot of things regarding this subject and if you see what edward snowden leaked about project prism (a mass surveillance program that was launched by the NSA) in 2014, google and apple were part of the project. if the company is giving your data to the NSA, then it doesn’t really matter how strong your e2e is with them.
Google or other companies are irrelevant when you use third party software like Signal for which source code is available for everything except voice calls.
Short answer: no.
I don’t need the short answer. Phone Encryption on vanilla phone won’t expose your data to them.
I am sorry to tell you this, but encryption keys on newer Android phones (KitKat and above) can be stored in hardware. It is an ARM processor feature, called TrustZone.
And security zone on Qualcomm chips was publicly hacked ten months ago. That lets attackers extract the key used for Full Disk Encryption or other security keys from the phone and then decrypt it. However it is not a simple process. Who knows if other company processors are also hacked (MediaTek, Samsung, etc).
So the long answer is: don’t depend FDE being safe.
Thanks @Shahid. This is a serious issue. I guess that’s a strong marketing point for Nokia to use SHA-256 for FDE in their devices.
I found an article which explains in detail how FDE can be compromised – if anyone wants to read further.
http://www.networkworld.com/article/3091129/security/the-full-disk-encryption-protecting-your-android-can-be-cracked.html
Thanks @Shahid. This is a serious issue. I guess that’s a strong marketing point for Nokia to use SHA-256 for FDE in their devices.
I found an article which explains in detail how FDE can be compromised – if anyone wants to read further.
It is not a question of the size of the keys but whether they can be extracted from the TrustZone. On newer processors Qualcomm has fixed the issue, and I think there is a patch that manufacturers can apply to older phones.
encryption doesn’t matter that much IMO. because you can’t trust these big companies anymore, if you want absolute security then remove all the google stuff from a smartphone and modify the linux kernel. Blackphone 2 did exactly this type of thing to make their flagships secure.
Blackphone and every other phone like it is a failure for one simple reason: they may control the operating system and software that runs on their main processor, but they do not control the realtime operating system that runs on their “baseband processor” (the one that communicates with the mobile networks. In fact, for every phone you will find, you can never NEVER get the source code for the baseband processor’s software or specs of the baseband processor so you can write your own software.
Google online for the baseband processor problem if you don’t believe me. There is no way to make phones secure.
well, that’s a drag. You were right about the blackphone and the BBP problem. There is one solution though, and that is OsmocomBB, it is basically an open source low level firmware for the BBP. Right now the secure phone is impractical (maybe not, as neo900 gives a new hope by sandboxing the BBP, or i dunno maybe OsmocomBB may support modern BBP) but not Impossible, and its also sad to see how tragically OsmocomBB is underfunded, underhyped, and under-hacked-on. But if you get hardware supported by OsmocomBB (most probably going to be a 1980-1990 hardware) it is possible to do all the s*** yourself and make it secure, and even then 0days are always there. damm security is hard :/. i miss the good ol’ radio days
ps: Secure phone, it’s not impossible.
Wikileaks further revealed in their Vault7 leaks that PTCL internet devices are important target of interest for CIA. https://uploads.disquscdn.com/images/6e30aadc9c45839d2e106eb3c46361bc10d7c9b961da853f51ea92d98b818498.jpg
I need to know about android phone encryption, does it work..? Anyone who knows about security and encryption please comment…!
Main to Apna WhatsAPPS Status Bhi Urdu Main Dalta Ho Us Main Shaadi Ki Baten Hoti Hai :
Thanks for reading Koi to Milayga Is Bahany Mujhy
Yes, and I’m sure everyone in your contacts cares about you.
The article and Snowdon and others make it very clear no one has broken WhatsApp’s encryption. Quit spreading lies.
if you look at it as NSA’s pov, they don’t really need to break the encryption, because at the end of the day i wouldn’t trust whatsapp for that. and sorry i misunderstood a little.