One lesson of the CIA leak: End-to-end encryption works
This week, WikiLeaks published yet to be confirmed information on hacking tools used by the Central Intelligence Agency, including a long list of exploits. Although some interpreted the news as the CIA found a way to “crack” end-to-end encryption, this is not the case. We agree with Open Whisper Systems that the recent news in fact proves that end-to-end encryption works as intended.
There are no signs that the spy agency “cracked” or “broke” end-to-end encrypted apps. The CIA might have used workarounds by exploiting security vulnerabilities in operating systems and other software in order to take over the whole device instead. End-to-end encryption is still the strongest protection against mass surveillance techniques like intercepting messages in-transit or requiring providers to hand over user data in bulk. Because of this, authorities and hackers have to find complicated, resource-heavy, and more targeted means to gather intelligence.
The majority of the vulnerabilities listed are not really surprising to the cybersecurity community. Some of them are well-known and used by hackers as well, who are after sensitive user data. As exploits like these can always be used by malicious parties like hackers, it is crucial for all users to protect the security of their devices as much as they can.
The recent news should by no means decrease trust in end-to-end encrypted apps. On the contrary. Using end-to-end encrypted apps is the first step towards privacy and security. The question is rather, what else you can and should do to protect yourself besides using these apps.
- Use encrypted apps preferably for all communications, email, messaging and file sync & sharing alike. Here is a list of apps that help you keep your data secure and private.
- Pay attention to your device security in general. End-to-end encryption is the most powerful tool to protect yourself against mass surveillance. If end-to-end encrypted messages are intercepted, their content cannot be read, because the encryption keys are stored at the users. However, end-to-end encrypted apps alone cannot protect you from all attacks that exploit vulnerabilities of other software on your device. If someone takes over your phone exploiting weaknesses of your operating system, they might read messages on your device.
- Update, update, update. The most important thing to keep your devices secure is is updating operating systems and applications, on a regular basis. Think of it as a general hygiene routine. If you use outdated software, you’re unprotected against hackers and authorities exploiting security vulnerabilities. New versions of software include critical vulnerability fixes that were patched after security experts found them.
- Download apps only from trusted sources. Before you download any app to your device, make sure that it comes from a trusted developer. Use only official websites and app stores.
- Protect your online accounts with strong passwords and 2-factor authentication. Using a strong password and two-factor authentication as an additional layer of security is crucial for all of your accounts. If you don’t set a strong password, neither encryption nor patches and anti-malware software can protect you as effectively as it could.