Of all the revelations to come out of the 9,000-page data dump of CIA hacking tools, one of the most explosive is the possibility that the spy agency can compromise Signal, WhatsApp, and other encrypted chat apps. If you use those apps, let's be perfectly clear: Nothing in the WikiLeaks docs says the CIA can do that.
A close reading of the descriptions of mobile hacking outlined in the documents released by WikiLeaks shows that the CIA has not yet cracked those invaluable encryption tools. That has done little to prevent confusion on the matter, something WikiLeaks itself contributed to with a carelessly worded tweet:
X content
This content can also be viewed on the site it originates from.
The end-to-end encryption protocols underpinning these private messaging apps protect all communications as they pass between devices. No one, not even the companies providing the service, can read or see that data while it is in transit. Nothing in the CIA leak disputes that. The underlying software remains every bit as trustworthy now as it was before WikiLeaks released the documents.
Of course, the CIA can compromise the devices sending or receiving those messages. By taking control of a so-called end point, spies can access everything on a smartphone, be it texts, videos, the camera, or the microphone. "It isn't about ‘defeating encryption,’ despite the hype,” says Nicholas Weaver, a computer security researcher at the International Computer Science Institute. “If you compromise a target's phone, you don't care about encryption anymore.”
That makes saying the CIA can “bypass” encryption apps like WhatsApp akin to saying Jimmy Stewart could have bypassed his neighbor’s blinds in Rear Window by breaking into the guy’s house and hiding in his closet. Sure, that's one way to do it. But it doesn't make the blinds any less effective.
It's an important distinction. More than a billion people use Signal and WhatsApp, both of which use Open Whisper System’s Signal Protocol to protect communications. Other end-to-end encrypted apps, like Confide, have also seen a recent uptick in popularity. The people who use these apps rely on that rock-solid security to facilitate sensitive discussions, avoid oppressive regimes, communicate with journalists, and more. Undermining trust in those tools creates the impression that vulnerable people have nowhere to turn. This is not true. They absolutely do.
"The CIA/WikiLeaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption," said Open Whisper Systems in a response on Twitter. "The story isn't about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what we're doing is working."
The only people who may need to worry are those who might be the target of a total-device takeover, an exploit largely limited to nation-state actors. At that point, you’ve got far bigger concerns than end-to-end encrypted chat. That Signal and WhatsApp are still viable also doesn't lessen the broader implications of the CIA's secrets being in the wild.
"Specifically, users of encrypted comms programs aren't targeted, but everyone is made less safe," says Malwarebytes security researcher Jean-Phillipe Taggart.
Fortunately, WikiLeaks clarified what it meant. After all, it values the ability to keep secrets as well as anyone.
This story has been updated to include a comment from Jean-Phillipe Taggart.
