Is your Samsung TV spying on you? Have smart phone communications applications previously regarded as secure from snooping been breached? Should we just give up trying to protect our privacy in the face of remorseless intelligence agency assaults on the security of the internet?
There’s no doubt the latest WikiLeaks document cache is a blockbuster: a trove of documents detailing the CIA’s extensive catalogue of cyber-espionage tools. And some of the headlines about the release, suggesting encrypted apps like Signal were no longer safe, would send shockwaves through the many people — from journalists and politicians to whistleblowers and activists — who rely on encrypted apps to communicate beyond the reach of governments like our own that use their powers to spy on citizens.
For the non-technically minded, however, here are three key messages from the material and expert coverage so far:
1. Encrypted apps are still safe — but your device may not be
The CIA hasn’t managed to break the encryption used by secured communication apps, or that used by major services providers like Google and Apple. What they’ve done is target the operating systems of the devices on which the apps and services run. And they’ve used security flaws in the Android and iOS operating systems to gain unauthorised access — or they’ve purchased exploits that do so. Take, for example, an exploit called Earth/Eve which uses a flaw in Apple’s iOS to provide remote access to an Apple mobile device — it was bought by the National Security Agency from an unknown party. Or, if you use an Android phone, there’s a list of exploits bought, developed and obtained by the CIA here. If anything, the focus on attacking device operating systems suggests encryption is actually an effective tool to preventing governments from spying on your communications — but only as long as Apple, Google and other operating system developers know about and rapidly patch vulnerabilities.
2. Mass surveillance makes us all less safe
As Edward Snowden has been pointing out today, the most alarming thing about these documents is that intelligence agencies know about major security problems in the world’s most widely used devices — problems that could be exploited by terrorists, organised, pedophiles, anyone with malicious intent on the internet — and rather than draw them to the attention of manufacturers, they are hiding them in order to exploit them themselves. The result is that the actions of security agencies — who purportedly are supposed to make us safer — make us less safe.
Moreover, by using taxpayer money to pay hackers, criminals and other governments for exploits that allow them to use security vulnerabilities, western intelligence agencies are creating incentives for the constant exploitation of vulnerabilities, adding perhaps hundreds of millions of dollars of demand to a black market in exploits. Not merely are security agencies making our devices less safe, they’re providing resources to malicious actors who want to break into them.
3. The Internet of Things sucks
If you haven’t worked out by now that the so-called, and relentlessly hyped “Internet of Things” is bad news for security and privacy, you haven’t been paying attention. That Samsung TV that’s spying on you? It didn’t take the CIA to work that out: Samsung itself warned us all two years ago that anything we said in front of one of its smart TVs could be recorded and provided to third parties. That was a few months before we learnt Samsung’s smart fridge could be used to steal your Gmail password. Fridges can also be used in botnets. Nor is it just your appliances or Samsung — fitness apps have been hacked. Pacemakers can be hacked. Baby monitor and household CCTV hacking is a virtual minor industry.
And while WikiLeaks warns that intelligence agencies gaining access to motor vehicles could lead to “nearly undetectable assassinations”, more prosaically, the growth of internet-connected vehicles and the emergence of driverless cars means you’ll never be able to drive anywhere without extensive monitoring of your location being retained by private companies and stored, often unsecurely, in cloud servers. Just ask the 800,000 families who bought Cloudpets — internet-enabled stuffed toys — and have now learnt their passwords, children’s data and recordings were stolen earlier this year.
While the trade-off of privacy and safer roads and better driving might make driverless cars acceptable, the often dubious benefits of internet-connected appliances and toys is a minimal offset to the massive security threat such devices represent, especially for people who can’t be bothered to, or don’t even realise they can, change the default password such devices come with. As IoT critics like to point out, these aren’t appliances and devices with an internet connection, they are computers that happen to wash your dishes, chill your food or entertain your children. And they should be treated with the same security rigour as other computers — by both users and manufacturers.
The IoT stuff is hilarious. The benefits are infinitesimal, the risks substantial and unknown. You won’t believe this, but I can open my fridge door and work out what I need to buy using a pencil and paper. It’s radical!!!!
I am yet to see anything in the IoT sphere currently in use or planned that has or would remotely improve my life. So far, only geek toys.
But you early adopters, go for your life. Canaries in the coal mine??
IoT aims to exclude you from the process. In your example you opening the fridge to check supplies doesn’t happen. As far as you are concerned there is never a shortage so the need to check never arises. The benefit is on the supply side. I will give you the fridge because it means I can save 90% of my distribution costs and locks you into buying my products.
Is there anything new in this? Maybe a bit of detail; but people who have wanted confidential meetings have required collection of mobile devices for years. Haven’t we all read “Girl with the Dragon Tattoo” and similar?
Nice to see someone is gathering intelligence on what intelligence agencies are doing – even if only in the national (voter’s) interest?
Is the day swiftly approaching when the thought that info was once placed on that old fashioned Intertubes thingy will be deemed as dumb as a bag of rocks?
Surely we are fast approaching multiple intranets where your participation is your bond – with exclusion the penalty for breaches.
Soon lycra clad loons will be rushing around the streets, on electric unicycle, carrying USBs from user to user.
Well, it was fun, kinda-sorta, while it lasted.
Obviously what is needed . . . a personal household robot over sighting, guarding against and de-bugging all living space; programmed to constantly sweep entire physical, electronic environment. (In the past referred to as ‘My Castle’ . . . and now as ‘My Habitat Profiling Centre.’)
Seriously, as detail of our future lifestyle options emerge the more one considers upside of a mud brick shack, alongside a creek on five acres of good soil, and a jump stump plough . . . . and you can all get stuffed!