Ditch your Android phone and any PC for sensitive communications if you're a target of well-resourced attackers, warns a highly regarded cryptographer.
Whatever you think about Wikileaks’release of details about CIA hacking tools, there is one important lesson. It’s that encrypted messaging apps aren’t secure when the device the app is running on has been hacked.
While this is true for both PCs and a mobile device, when considering common attack methods, mobile devices are much less vulnerable, which can make them a safer option -- particularly if you’re of interest to government agencies.
A few days before WikiLeaks published details about the CIA’s exploits, Buzzfeed’s world editor Miriam Elder presciently asked on Twitter whether Edward Snowden’s preferred encrypted messaging app, Signal, was equally secure on desktop machines as it was on mobile devices.
Turkey-born techno-sociologist writer Zeynep Tufekci answered that no, the desktop client was not as secure as the mobile app because there is “no real way to truly secure a computer”.
Cryptographer and professor at John Hopkins University, Matthew Green, chimed in, saying that journalists — or for that matter, anyone who is targeted by a well-resourced attacker — should “use an iOS device exclusively” for handling sensitive communications, pointing to the threat of malicious attachments, such as malware-laced Word files.
“If you routinely download email attachments on a machine, just assume it's cooked/cookable,” he said on the thread to Elder’s question, referring to attachments downloaded on a PC or Mac.
Greene said that hacking an iPhone via a malicious attachment was harder than compromising a Mac or PC this way.
“The problem is that it's much easier to accidentally download executable code on a desktop,” he said, pointing to Office macros, which cybercriminals use to trick email recipients to run malicious programs on Windows machines. One example is the Cerber ransomware, which relied heavily on spam with malicious Office macros to net victims.
“Once you have execution, on most desktop configurations it's pretty much over,” Green wrote.
Then, announcing the CIA offensive tools release on Tuesday, Wikileaks said in in a press release that the agency can “bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied.”
Some reports suggested Signal could be bypassed but omitted the last part of Wikileaks’ statement which states that an attacker would need to first hack the device to collect information on the device before it was encrypted.
Signal’s maker, Open Whisper Systems, responded to these reports: “The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption”.
Greene has now offered a more detailed explanation of why a government agency getting malware onto a phone is a much bigger deal than hacking a laptop, factoring in that most reporters are inclined to open attachments from unknown sources. And the answer is sandboxing.
“Classical (desktop and laptop) operating systems were designed primarily to support application developers. This means they offer a lot of power to your applications. An application like Microsoft Word can typically read and write all the files available to your account. If Word becomes compromised, this is usually enough to pwn you in practice. And in many cases, these applications have components with root (or Administrator) access, which makes them even more dangerous,” he writes.
“Modern phone operating systems like Android and iOS were built on a different principle. Rather than trusting apps with much power, each app runs in a “sandbox” that (mainly) limits it to accessing its own files. If the sandbox works, even a malicious application shouldn’t be able to reach out to touch other apps’ files or permanently modify your system”
While both iOS and Android offer roughly equivalent protections at this level, Greene highlights iOS is the better choice due to its integrated model, which covers OS updates and hardware, compared with Android, which only guarantees regular updates if the device was produced by Google.
“Since Apple is the only manufacturer of iOS devices, there is no “middleman” when it comes to monitoring for iOS issues and deploying iOS security updates. This means that the buck stops at Apple — rather than with some third-party equipment manufacturer. Indeed, Apple routinely patches its operating systems and pushes the patches to all supported users — sometimes within hours of learning of a vulnerability (something that is relatively rare at this point in any case),” writes Greene.
“Of course, to be fair: Google has also become fairly decent at supporting its own Android devices. However, to get assurance from this process you need to be running a relatively brand new device and it needs to be manufactured by Google. Otherwise you’re liable to be several days or weeks behind the time when a security issue is discovered and patched — if you ever get it. And Google still does not support all of the features Apple does, including in-memory code signing and strong file encryption."