The CIA Didn’t Break Signal or WhatsApp, Despite What You’ve Heard

There’s been one particularly misleading claim repeated throughout coverage of CIA documents released by WikiLeaks today: that the agency’s in-house hackers “bypassed” the encryption used by popular secure-chat software like Signal and WhatsApp.

By specifically mentioning these apps, news outlets implied that the agency has a means of getting through the protections built into the chat systems. It doesn’t. Instead, it has the ability, in some cases, to take control of entire phones; accessing encrypted chats is simply one of many security implications of this. WikiLeaks’ own analysis of the documents at least briefly acknowledges this, stating that CIA “techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied.”

The claim was then taken out of what little context WikiLeaks provided and repeated by widely read outlets like the New York Times:

the Boston Globe:

WikiLeaks says its CIA disclosures indicate agency can bypass encryption on popular messaging services https://t.co/ezNp0oX87B pic.twitter.com/2knXpoknG5

— The Boston Globe (@BostonGlobe) March 7, 2017

Mashable:

and this AP reporter retweeted by the AP itself:

Are you worried about WikiLeaks' revelations that confidential messaging apps are not actually secure? Or not? Email me at bortutay@ap.org

— BarbaraOrtutay (@BarbaraOrtutay) March 7, 2017

Contrary to the clear implication from these journalists and news sources, the documents WikiLeaks published do not appear to show any attack specific to Signal or WhatsApp, but rather a means of hijacking your entire phone, which would of course “bypass” encrypted chat apps because it thwarts virtually all other security systems on the device, granting total remote access to the CIA.

The WikiLeaks dump also includes information about CIA malware that can hack, and remotely spy on and control, computers running Windows, macOS, and Linux. Which means that it’s also true that the CIA can bypass PGP email encryption on your computer. And the CIA can bypass your VPN. And the CIA can see everything you’re doing in Tor Browser. All of these things can be inferred by the documents, but that doesn’t mean using PGP, VPNs, or Tor Browser isn’t safe. Basically, if the CIA can hack a device and gain full control of it — whether it’s a smartphone, a laptop, or a TV with a microphone — it can spy on everything that happens on that device. Saying Signal is bypassed because the CIA has control of the entire device Signal is installed on is akin to saying the diary you keep in your bedside table is vulnerable because the CIA has the ability to break into your house. It’s true, technically, but not exactly a revelation, and odd to fixate on to the exclusion of other vulnerable items.

We deleted this earlier tweet to the article to provide more context. https://t.co/uQ73DIX6VH pic.twitter.com/wNjWx9l978

— The New York Times (@nytimes) March 7, 2017

To its credit, the Times deleted its tweet and changed the language it used in its article, but there’s probably going to be some lingering damage in the form of people now under the impression that using Signal or WhatsApp could make them less safe, when the reverse is true.

The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.

— Signal (@signalapp) March 7, 2017

It of course remains possible (as it always has and always will) that the CIA has cracked the encryption of Signal, WhatsApp, or any other piece of software. But WikiLeaks hasn’t provided any evidence of that here today.