Somewhat careless wording by Wikileaks has led to widespread reports than messaging apps that use end-to-end encryption – like Signal, WhatsApp and iMessages – had been compromised by the CIA. There is in fact no evidence that this is the case.
Any suggestion that Signal had been compromised would be particularly worrying as it is a favorite tool of journalists when communicating with sources whose safety could be endangered if it was known they were talking to the press.
The misunderstanding arises because the CIA’s tools would allow it to take control of specific devices, and once a device is compromised, then end-to-end encryption no longer offers any protection. But that’s very different from suggesting that the apps themselves have been compromised.
Indeed, as Edward Snowden and others have observed, the very fact that the CIA needs to attack devices is evidence that it has been unable to intercept communications which employ strong encryption. As the NYT puts it:
If anything in the WikiLeaks revelations is a bombshell, it is just how strong these encrypted apps appear to be. Since it doesn’t have a means of easy mass surveillance of such apps, the C.I.A. seems to have had to turn its attention to the harder and often high-risk task of breaking into individual devices one by one.
So sure, if your device has been compromised, all bets are off. But there is nothing at all to suggest that the CIA has any ability to decode communications from IM apps which use strong encryption. The NYT again:
Neither Signal nor WhatsApp, for example, appears by name in any of the alleged C.I.A. files in the cache. (Using automated tools to search the whole database, as security researchers subsequently did, turned up no hits.) More important, the hacking methods described in the documents do not, in fact, include the ability to bypass such encrypted apps.
Both Apple and Google have stated that ‘many’ of the exploits revealed have already been patched, and that they are working swiftly to fix others – a task made easier by the announcement that Wikileaks will share with tech companies the full details of the hacks.