The good and bad of Wikileaks' Vault 7 dump

On Tuesday (March 7, 2017 if you're reading from the future) Wikileaks released the Vault 7 CIA files. These dumped a ton of information along with some Tweets about how journalists were supposed to be afraid that the CIA has tapped into everyone's phone and that encrypted messaging has been hacked. This produced the expected results, where words were quickly typed to let you know how everything has changed and this is some horrible new thing you should be afraid of. Wikileaks is good at that; they know how to dangle a carrot and make people spread their message regardless of any facts or truth. P.T. Barnum would approve.

But after taking the time to look at the claims and dig beyond the hyperbole, there are some things to be learned from the Vault 7 files. They should make you concerned, but not afraid, when you use your phone to do anything you wouldn't want the rest of the world to see.

More: What is encryption?

The good news is that regardless of what's being claimed, secure encryption methods appear to be secure. WhatsApp, Telegram, and Signal are popular messaging apps that support end to end encryption and were called out by Wikileaks in connection with the leaked materials. Further inspection of the claims shows that the actual encryption hasn't been cracked. These apps don't even appear in any of the files from the CIA by name, and the tools and tricks mentioned in the leaked documents say nothing about "bypassing" the encryption used by them. In fact, it all supports how strong the encryption is and shows that Wikileaks was just playing fast and loose with the news as they're prone to do.

The takeaway from Vault 7 is that encryption methods really are strong and we should be using them.

The understanding from Wikileaks that your Android or iPhone isn't secure is the same type of over the top claim that's true on some level, but stretching the truth just enough to be sensational. There are plenty of valid tools to exploit known security issues for Android and iOS detailed in the leaks. The biggest issue is that none of them are new: they're the same threats and vulnerabilities you see people like me talking about when we say you need to take your privacy a little more seriously. Some have been patched, some never worked as advertised and most involve someone having your phone in their hands connected to a computer. We should all be concerned about these things and it's why we claim security patches are so important. But nothing leaked should make you more afraid to use your phone than you were last week.

The bad news from the CIA files is how the security landscape has changed. Where surveillance used to be casting a wide net then filtering out particular results for a closer look, people who want to know what's on your phone are now using individually targeted methods to try to get in it. No matter how you define the good guys versus the bad guys, knowing that smart people are tasked with finding ways to have access to your phone is a very different scenario than a group of crooks fishing for Visa card numbers on Yahoo! mail servers.

This is a device security issue. Do your part and demand the people who made your phone do the same.

Someone who needs to get around the protection an app like Signal offers needs to find a way to tell the app they're allowed to do so. They need to break into your phone and look, just as if they were looking over your shoulder while you were reading it. That means people like the ones who were able to tap into an encrypted iPhone without assistance from Apple are now working on ways to crack into every phone. Including yours. While you might be OK with knowing law enforcement can get in a criminal's phone, know that these methods will become widespread. Two or more people can't keep a secret, and these CIA leaked files show.

What should we do?

That's the thing, isn't it? I doubt anyone reading this is a target of interest for any three-letter government agency. But you still have a right to privacy.

Thankfully, the advice we've already heard is still the best way to do it. Common sense things like not opening attachments from people you don't know, never installing a file from someone who shouldn't be distributing it and not clicking random links through URL shorteners unless you know who is giving them to you. Do these things, but turn things up a notch and actually do them. If you need to step things up one more notch, use secure messaging services for SMS and email.

Use these apps for true private messaging

There's one more thing we all need to do: Only buy phones made by companies that care about security. If your phone isn't getting regular patches to mitigate these exploits, don't buy that brand next time. Phone manufacturers only care about profits, so to make them pay attention you have to put a dent in those profits.

There was no magic hacker tool pulled from the Vault 7 files and you don't need to be paranoid. But there is a place between not caring and wearing a tinfoil hat, and that's where we should be.

Stay safe.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Nokia 3310 is the way to go! I'm talking about the original.
  • My Lilly Esin once in a blue moon got a new choice of the crop Chevrolet Corvette Stingray Coupe by unavailable off of a laptop... flash it out +_+_+_+_+_+
  • Quote.. There's one more thing we all need to do: Only buy phones made by companies that care about security. If your phone isn't getting regular patches to mitigate these exploits, don't buy that brand next time. This is exactly why Samsung has now lost me as a customer, it's now nearly halfway through March and my unlocked S7edge is still on December 2016, security patch. I have had a lot of Samsung devices but in the future I will be looking at different manufacturers and won't consider Samsung no matter how good the hardware, it means nothing without software support.
  • Pfft. I have a Nexus 6P stuck in January.
  • Mine (6P) used to be stuck from time to time as well, but I had to factory reset for something unrelated and it's been getting monthly security patches ever since, usually around the 4th-7th of the month.
  • Are you on the Beta? If so, get off of it, and you will be updated as you expect.
  • If you're not on beta, go grab the ota from google and update it yourself...
  • Yep I agree. Samsung smart TVs were targeted for a reason according to Vault 7, same probably goes for their phones. I'll stick with my Nexus 5x on Project Fi with the prompt security patches.
  • No problems here with Samsung. My Verizon Nite 5 gets security updates every month. It's right now Feb 2017. Weird enough though, my wife's S7e is still October 16!
  • But it also isn't always the manufacturer. I had a Priv, Blackberry was fast at getting out the updates, but if you didn't get it directly from them, you were at the mercy of the carrier. Verizon didn't allow security updates for many months.
  • They also need to make it harder for companies like Cellebrite to break into Android phones. When they can break into any Samsung or even the Pixel/Nexus devices in under 4 minutes but it takes 4hrs to break into an iPhone 6/6+ and they can't even seem to break into the 6S/6S+ and 7/7+ .. we need to think about this and NOT just apps like Signal and Telegram. When you have to hand over your phone to LEO's at an airport .. you want to give them something passcode protected that at least has to sit in an evidence bin for months or years. It's not about having done something wrong or having something to hide .. most folks wouldn't let people just walk into their house and rummage around until they found something/anything to charge you with.
  • Step by step 1984 is getting closer. Is it here in full force no, but the framework is starting to get implemented. One quote I agree with Eric Schmidt "I think big data is so powerful that nation states will fight over how much data matters," 
  • Getting closer? 1984 is already here.
  • Look at Britain and the millions of cameras across their country, pretty frightful.
  • Well actually, 1984 has passed... A long time ago...
  • Eric Schmidt = State Department
    Assange saw that yrs ago
    "When WikiLeaks met Google" book
  • i think that there is far too much attention paid to the wrong areas. Sure, no one wants their personal data compromised, i get that, but most people completely fail to realize that it isn't really necessary to compromise your personal data to paint a much clearer picture of who you are than can even be gained from that data. (do an experiment. go to Magellan's website and look at telescopes or microscopes. or Walmart. or Lowe's. then see how fast related ads start popping up on your favorite social media sites. i can look at where you go, what you buy, who you talk to, all with easily accessed, unsecured information. (and there are many more sources for this information than you think there are). then i can have that data analyzed on my pc to paint that very clear picture. privacy in the 21st century is no longer what it used to be, and there is much less of it than most people can even imagine. "1984" got here before most of you reading this were born and it is growing at an exponential rate.
  • If you're doing anything stupid, you're already supposed to have A BURNER PHONE and BURNER ACCOUNTS...!
  • And I just ordered a brand new shiny tinfoil hat. Guess I'll send it back and ask them to delete my phone's PIN, and my social security number from their file and to return the copy of my fingerprints.
  • I think people need to just get over it. You can buy the most secure phone in the world and intelligence agency's will have it cracked before launch. They aren't reading your mail, texts, or listening to your phone calls.....unless you're a blowtard wanna be terrorist. They aren't after what app you use to access your credit score, or what app your using to download p0rn....they simply don't care. They are after terrorists. Period. BUT in retrospect, if we let this continue, the Gov't will be knee deep in our bung holes making it hard for any type of privacy. .... But for now, no one has anything to worry about unless they be stashin' pics/vids of themselves makin' it with the neighbors dog, horse, pig,.....maybe even furby the ferret. ....oh and of coarse, plotting to take out targets of interest.
  • Wow, How about that...Bung Hole is not on the words that get **** out. Why you are at it, how come you left out toss my salad????
  • Eh. Thought maybe it was to insensitive to those that let their dog... well.... ya know....
  • I have a 6P which thankfully it's already on March, I don't worry about Google but my S7 Edge I do. Samsung seems to be at least pretty current and getting them out on time so far, I've only had the phone since early February but it did get the February patch, nothing for March yet though.
  • @Jerry: You have an error. "WhatsApp, Telegram, and Signal are popular messaging apps that support tend to end encryption and were called out by Wikileaks in connection with the leaked materials." It should be "end to end" not "tend to end encryption." Sorry, I am a ****.
  • thanks. fixed
  • Things like this are why I have not enabled Google Assistant yet
  • You don't need to "enable" Assistent. It's already there. Do you use "OK Google" to talk to your phone? Or do Google searches with the Google app? It's Assistent now. If it's not up and running on your phone yet it will soon. On mine it was active 3 days ago.
  • You also need to avoid buying carrier branded phones as they add an extra hop to the already messy update process and usually get updates after the generic country variants (Samsung's generic US S7/S7 Edge being a notable exception).
  • BlackBerry software is being installed on some very nice devices these days. BlackBerry also takes security seriously and those devices get patched monthly...consistently... and they have just released a very useful privacy app called privacy shade for Android.
  • Amen. Hack this.....
  • "If your phone isn't getting regular patches to mitigate these exploits, don't buy that brand next time." Sage advice, but kind of hard to put into practice with Android.
  • Nope. Simple. Buy from Google or BlackBerry.
  • Jerry, does this apply to all BlackBerry phones? I am looking to replace my 3rd gen motoG that's pretty beat up. It never really got security updates :( . I would like to get something that is secure enough for mobile banking and as future proof as possible, at as modest a price point as realistic. Any suggestions or advice?
  • Great article. Security updates are the main reason why my next phone will not be a Huawei.
  • I think an AC rating for Privacy and Security should be part of every single device reviewed here. There should also be a list maintained of ratings by manufacturer. If these statistics are not highlighted and given enough attention the manufacturers would never give two hoots about bringing those security patches to your devices. As Jerry mentioned let your money speak for your security concerns - do not buy devices from manufacturers ( and carriers) which leave you without at least the monthly security updates. Compliance in having to roll these out in a timely fashion should be mandatory. For the moment I have signed off my loyalty to BlackBerry and Google devices. As far as security patches go all others remain guilty until proven innocent.
  • for the billions of dollars that these government
    agencies receive from tax dollars, they should
    get boots in their [rear ends} if they are unable
    to decipher EVERYTHING on the planet. otherwise, why the ---- are they being paid the
    big bucks for?
  • Unfortunately Signal isn't the kind of thing that could come preloaded on phones, due to risk of being compromised and being replaced with a tapped version, sort of like what happens to everything that Cisco makes.
  • The new whatsapp update is really frustrating my life here, I don't like the interface
  • Hey Samsung...I bought my last phone from you, you don't take my security seriously, I'm done taking you seriously.
  • The plural of agency is agencies, not agrncy's. Come on.
  • So tired of wiki-anything
  • Thing is they keep making claims to people being vulnerable yet no on what's come forth with actual "real facts" that their personal info has been taken, copied, or altered. I think this is just yet another sales point of any of these phone companies. I know people with iPhone 4 and 3gs... Yet they never have seen a breach as well as my aunt who still uses the LG Phoenix and me as well with my note 3 and my Chinese branded phones (LeEco and Huawei). But it's all your preference to buy into that. Until you all learn that it's those who claim to can protect you are the same ones who also take part in releasing viruses and malware to the public.yeah I sound like some nutcase but again as many folks as I know with outdated security patches on their phones all show no signs of exploits... Stagefright 1 and 2? Or any other word they come up with to scare you to thinking you need this or that.but it's your preference and I'm just gone wait for the "Chinese are hacking" responses
  • Yep, this is why I buy Google. My Pixel is on March update. I usually get mine by the 12th every month. Encryption is the key for sure. I don't use the incrypted part of Allo, but I can see a need for some people.
  • WhatsApp is closed source and cannot be verified to be backdoor free, it uses Signal's encryption, but could weaken it by watching as you type. Telegram uses non standard encryption and can have intentionally weakened it. Anything on a closed source OS could monitor your key presses. An open source OS can too, but it can be found there not in closed source.