SAN FRANCISCO — A misreading of new WikiLeaks documents published Tuesday morning led to mass panic over whether the CIA and allied intelligence organizations could hack into secure messaging apps trusted by millions of people across the world.
The claims were made off a cache of almost 9,000 documents and files that WikiLeaks said came from the CIA's Center for Cyber Intelligence and allegedly detail how the CIA hacks into phones, laptops, and other connected devices. A number of news outlets reported that the documents revealed that Signal, WhatsApp, and other messaging apps that use high-level encryption to ensure that messages are sent and received safely had been compromised.
Cybersecurity experts, however, were quick to point out that the documents simply stated that if a phone was compromised — which is to say if the CIA hacked into the phone itself — any apps on that phone would no longer be secure. This is the equivalent of saying that if your house is broken into and bugged, whispering softly on your phone in your bedroom is not going to make that conversation secure.
The Wikileaks documents do confirm that the US actively seeks ways to hack into cell phones, computers, and any other smart, connected devices, by collecting what are known as "zero days." Zero days are the names given for bugs or other issues with a piece of technology that the original manufacturer doesn't know about yet. Essentially it's a problem that the manufacturer has had zero days to fix, so whether its a app within your iPhone or Microsoft Word, hackers can use it to get into your system without you (or the manufacturer) knowing about it.
In their release, Wikileaks wrote that, "'Year Zero' introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones."
Zero days, however, are difficult to find and cost millions of dollars to develop or buy from private cybersecurity researchers who uncover them. So while the CIA — or any other intelligence agency — could use a zero day to compromise a phone or laptop, it would need to be a very high value target for them to do so.
The leak is the latest to become public by WikiLeaks, which has come under fire for failing to adequately redact certain documents and also for its role in the US election. Last year the group released thousands of emails detailing the communications of top Democratic Party leaders — which were widely believed to originate from a Russian government–sponsored hack. US intelligence agencies accused Russia of trying to meddle in the US elections and said WikiLeaks had assisted in that cause.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.