“Reckless beyond words” was how well-known whistleblower Edward Snowden recently described the possibility that the US government – more specifically, the CIA – hacked or hid vulnerabilities in mobile devices.
He was responding to the release by WikiLeaks of more than 8,000 documents in early March 2017 with alleged details of CIA hacking activities. Suspicions that popular apps WhatsApp and Signal were hacked were not substantiated by the documents, but the truth was perhaps much worse.
The documents, which have a strong probability of being authentic according to Snowden, indicate the CIA struck at the heart of most mobile systems on the market by hacking the two dominant operating systems: iOS from Apple and Android from Google. The attack vector was zero-day exploits, meaning vulnerabilities that the creators of the technology were not previously aware of. The added risk was that information on these vulnerabilities was not passed to the vendors afterwards, leaving them available for cybercriminals to exploit.
Now, wherein lies the truth? Nobody can doubt that US government organizations like the CIA have the technical capability to hack systems and applications, if only because this knowhow is crucial in defending against cyberattacks. You can only guarantee any level of security if you know how attackers will try penetrate your systems, networks, and software. From there, it is a but a small step to start using such techniques, albeit in the name of liberty, peace, and political apple pie of any other sort, to attack enemies. After all, as the saying goes, offense is the best method of defense.
There is also considerable evidence that numerous nation states engage in systematic cyber warfare, seeking to disrupt, damage, or breach software-driven activities ranging from national power transmission to political elections. Between the CIA, cybercriminals, and country governments across the globe, hacks can happen every minute of the day. No application, operating system, website, or device (mobiles, printers, cars, baby monitors, and any other connected entity) can be taken at face value any longer.
And that is where the real truth lies. Whatever the reality underlying CIA involvement, justified or unjustified, in hacking devices and apps, the fact is that somebody or something out there is setting traps, installing backdoors, or spiking code with instructions to exfiltrate data, anyway. US government departments must answer for any misconduct, like any other organization, but an important reminder in this WikiLeaks revelation is that, shocking though it may be, it is also just the tip of the iceberg.
“Only the Paranoid Survive” wrote Andy Grove, legendary chief of Intel and architect of much of the company’s success in semiconductors and chips. Or as Robert MacDougal (Sean Connery) put it in the movie “Entrapment”, “First we try, then we trust”. Checking any app you plan to use, before you use it, is an essential precaution. Unfortunately, even the good names of Apple’s App Store and Google’s Play are not enough to guarantee that the apps they hold for download are free from dubious or downright malicious code. So, stay a little paranoid and stay safe by trying suitable security checks on apps before you trust them, so that you can at least stay in business for the foreseeable future.