Is your Samsung TV spying on you? Have smart phone communications applications previously regarded as secure from snooping been breached? Should we just give up trying to protect our privacy in the face of remorseless intelligence agency assaults on the security of the internet?
There’s no doubt the latest WikiLeaks document cache is a blockbuster: a trove of documents detailing the CIA’s extensive catalogue of cyber-espionage tools. And some of the headlines about the release, suggesting encrypted apps like Signal were no longer safe, would send shockwaves through the many people — from journalists and politicians to whistleblowers and activists — who rely on encrypted apps to communicate beyond the reach of governments like our own that use their powers to spy on citizens.
For the non-technically minded, however, here are three key messages from the material and expert coverage so far:
1. Encrypted apps are still safe — but your device may not be
The CIA hasn’t managed to break the encryption used by secured communication apps, or that used by major services providers like Google and Apple. What they’ve done is target the operating systems of the devices on which the apps and services run. And they’ve used security flaws in the Android and iOS operating systems to gain unauthorised access — or they’ve purchased exploits that do so. Take, for example, an exploit called Earth/Eve which uses a flaw in Apple’s iOS to provide remote access to an Apple mobile device — it was bought by the National Security Agency from an unknown party. Or, if you use an Android phone, there’s a list of exploits bought, developed and obtained by the CIA here. If anything, the focus on attacking device operating systems suggests encryption is actually an effective tool to preventing governments from spying on your communications — but only as long as Apple, Google and other operating system developers know about and rapidly patch vulnerabilities.
2. Mass surveillance makes us all less safe
As Edward Snowden has been pointing out today, the most alarming thing about these documents is that intelligence agencies know about major security problems in the world’s most widely used devices — problems that could be exploited by terrorists, organised, pedophiles, anyone with malicious intent on the internet — and rather than draw them to the attention of manufacturers, they are hiding them in order to exploit them themselves. The result is that the actions of security agencies — who purportedly are supposed to make us safer — make us less safe.
Moreover, by using taxpayer money to pay hackers, criminals and other governments for exploits that allow them to use security vulnerabilities, western intelligence agencies are creating incentives for the constant exploitation of vulnerabilities, adding perhaps hundreds of millions of dollars of demand to a black market in exploits. Not merely are security agencies making our devices less safe, they’re providing resources to malicious actors who want to break into them.
3. The Internet of Things sucks
If you haven’t worked out by now that the so-called, and relentlessly hyped “Internet of Things” is bad news for security and privacy, you haven’t been paying attention. That Samsung TV that’s spying on you? It didn’t take the CIA to work that out: Samsung itself warned us all two years ago that anything we said in front of one of its smart TVs could be recorded and provided to third parties. That was a few months before we learnt Samsung’s smart fridge could be used to steal your Gmail password. Fridges can also be used in botnets. Nor is it just your appliances or Samsung — fitness apps have been hacked. Pacemakers can be hacked. Baby monitor and household CCTV hacking is a virtual minor industry.
And while WikiLeaks warns that intelligence agencies gaining access to motor vehicles could lead to “nearly undetectable assassinations”, more prosaically, the growth of internet-connected vehicles and the emergence of driverless cars means you’ll never be able to drive anywhere without extensive monitoring of your location being retained by private companies and stored, often unsecurely, in cloud servers. Just ask the 800,000 families who bought Cloudpets — internet-enabled stuffed toys — and have now learnt their passwords, children’s data and recordings were stolen earlier this year.
While the trade-off of privacy and safer roads and better driving might make driverless cars acceptable, the often dubious benefits of internet-connected appliances and toys is a minimal offset to the massive security threat such devices represent, especially for people who can’t be bothered to, or don’t even realise they can, change the default password such devices come with. As IoT critics like to point out, these aren’t appliances and devices with an internet connection, they are computers that happen to wash your dishes, chill your food or entertain your children. And they should be treated with the same security rigour as other computers — by both users and manufacturers.