Is data on devices safe from mass surveillance?

Last week, Wikileaks has published a “Year Zero” set of documents. The Vault 7 series of 8,761 documents describes the electronic surveillance performed by the United States Central Intelligence Agency and is the biggest leak about the CIA so far. On Twitter, Wikileaks claimed, that the CIA can effectively bypass Signal + Telegram + WhatsApp + Confide encryption. According to the publications about the CIA, the agency has developed methods for intercepting messages users share in secure instant messengers. however, despite the revelations of Wikileaks, secure messengers are still an invulnerable fortress for the CIA.

In fact, the document array contains a hacker toolkit for accessing the phones on iOS and Android. A closer look at the documents revealed that the technologies CIA used to get access to conversations crack operating systems, not secure messengers.

If the agency penetrates an Android, it is allegedly able to collect “audio and message traffic before encryption is applied”. WikiLeaks clarified this later. This means that encrypted messengers stayed safe, while operating systems turned out to be vulnerable to attacks. After the revelations, Apple, Google, and other operating system manufacturers are likely to promptly examine and patch their software now as the drawbacks were made public.

What Wikileaks speaks about is not the fault of messaging apps security — it is a fundamental limitation of the security model. If you get access to the operating system of the device, you can collect the passwords a user enters and bypass the protection of installed applications.

Privacy-focused communication apps are no less secure after the Wikileaks revelation. In secure messaging apps, end-to-end encryption protocols protect all transmitted data, including messages, files, calls and video chats. If you use VIPole messenger for private conversations and sharing sensitive documents, your data is protected not just in transit, but at rest as well. Even if anyone manages to get access to your device — we’ve got you covered, your data stored on it is encrypted.

The fact that CIA is putting efforts into cracking operating systems is another proof of the effectiveness of encrypted communication technologies. As the agency failed to break encryption, they put efforts into breaking the systems that manage all apps on devices.

“The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption. The story isn’t about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what we’re doing is working.”

said Open Whisper Systems in a response to WikiLeaks on Twitter.

Enhancing the security and privacy of communications

You can undertake a number of emergency measures as soon as you see that the device is exposed, including removing documents and clearing history from communications apps remotely. There is also a number precautions that will help you eliminate the risk of unauthorized access and protect information on your devices. If you have other tips to add, would be great to read your comments.

1. Use secure messengers with encrypted message and data storage on devices for messaging, file sharing and calls.

2.Use licensed software and update it as soon as new versions are released. In the case revealed by Wikileaks, operating systems are vulnerable, and the manufacturers of operating systems will work to patch them.

3.Use the services of the vendors that update their firmware regularly.

4.Do not install unlicensed software on your computer, phone or tablet, and never open suspicious links.

5. Set passwords with good entropy. You can generate strong passwords in the VIPole password manager.

6. HTTP is a no go, use HTTPS.

7. Do not connect to unfamiliar Wi-Fi networks.

8. Never hand your devices to untrusted people and do not leave them unattended.

9. When using the VIPole desktop version, consider using the virtual keyboard for most sensitive cases. This ensures protection against keyloggers.

10. Read more about privacy protection and encrypted communication in our blog, and ensure that your conversations and documents are safe from the overreach of surveillance agencies.

We hope that that Wikileaks will work directly with tech companies to provide more details about CIA attack techniques so that companies could fix them faster and make their customers safer. Rising awareness about privacy threats is important, but protecting personal data before it is compromised is no less important.