The Central Intelligence Agency (CIA) logo is displayed in the lobby of CIA Headquarters in Langley, Virginia, on August 14, 2008.SAUL LOEB/AFP/Getty Images
Ultra-secure messaging apps including Signal and WhatsApp, used by millions of people around the world, use strong end-to-end encryption to keep communications of users safe from spying. This week, WikiLeaks claimed the Central Intelligence Agency (CIA) had cracked it.
The truth, however, was slightly different. In fact, far from breaking directing through the protections offered by these measures, the reality indicates US state-backed hackers are having to resort to increasingly extreme measures to circumvent such technology.
The trove of documents, said to have been pilfered from the agency's Cyber Intelligence unit in Langley, Virginia, did appear to include a number of exploits that could give access to iOS and Android devices – but this is very different from cracking encryption.WikiLeaks, in an analysis published alongside its leak of alleged CIA hacking tools – dubbed "Vault 7" – said the agency could use them to "bypass" encryption. Later, it fuelled speculated by tweeting that major apps, including WhatsApp, Signal, Telegram and Confide, were all at risk.
"If you exploit a device at operating system (OS) level, app-based security does not matter," Will Strafach, an Apple iOS security expert, told IBTimes UK.
"If someone is specifically targeted and their phone is running an older [software] version and thus vulnerable to exploitation, no 'secure' application can protect them because the operating system itself is compromised," he added.
Open Whisper Systems, the company that develops Signal, an app formerly endorsed by NSA whistleblower Edward Snowden, issued a statement via Twitter stressing its encryption remains secure. WhatsApp uses the same back-end protocols as Signal to keep its users safe.
"The CIA/WikiLeaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption," the firm wrote.
"The story isn't about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what we're doing is working," it added. "End-to-end encryption is pushing intelligence agencies from undetectable mass surveillance to expensive, high-risk, targeted attacks."
Robert Graham, a security researcher, wrote a blog post that reinforced this point. "The CIA has some exploits for Android/iPhone. If they can get on your phone, then of course they can record audio and screenshots," he wrote, referencing the WikiLeaks release.
"Technically, this bypasses/defeats encryption - but such phrases used by WikiLeaks are highly misleading, since nothing related to Signal/WhatsApp is happening.
"What's happening is the CIA is bypassing [and] defeating the phone."
With the phone or device compromised any hacker will likely have full access to the applications on it – that has always been the case. Most web users, while not likely to ever be specifically targeted for surveillance by the CIA, can stay protected by updating their phones and tablets.
WikiLeaks Homepage
The homepage of the WikiLeaks.org website is seen on a computer after leaked classified documents were posted to it July 26, 2010 in Miami, FloridaJoe Raedle/Getty Images
Apple, which develops and maintains iOS, released a statement after the WikiLeaks trove of documents was published informing its customers most of the exploits had already been fixed in the latest release of the software, which is automatically pushed out to users.
"We will continue work to rapidly address any identified vulnerabilities," it said. "We always urge customers to download the latest iOS to make sure they have the most recent security update."
And after analysing the contents of the leak, Strafach noted: "Nothing here appears to be something an attacker can use to exploit your iOS device if you are running the latest firmware."
WikiLeaks founder Julian Assange, has called the full release, which spans from 2013 to 2016, the "largest intelligence publication in history." A CIA spokesperson said: "We do not comment on the authenticity or content of purported intelligence documents."
The source of the leak remains unknown at the time of writing.