Yes, the CIA can hack phones but Signal and WhatsApp are still safe for nearly everyone

Wikileaks have published documents claiming that the CIA can use some vulnerabilities in the iOS and Android operating systems to hack mobile phones and then monitor anything that happens on those phones. The vulnerabilities are expensive to buy or discover. In order to keep their existence secret for as long as possible they are likely to have been used on a targeted basis.

Some journalists – working for newspapers including the New York Times, the Independent and the Telegraph – have reported this story as showing that the CIA can bypass the encryption on messaging apps like Signal and WhatsApp. This is emphatically not accurate. The apps themselves are secure. They are probably uncritically repeating a Wikileaks tweet to that effect.

If the CIA (or the NSA, MI5 or GCHQ for that matter) hacks your phone then they will be able to read messages on any messaging app, regardless of how good the app’s encryption is.

There is a big difference between phone operating systems being hacked and message encryption being broken. If a messaging app’s encryption has been broken, that would affect every user of the app. The encryption in Signal and WhatsApp has not been broken.

If the CIA is so interested in you personally that they would hack your phone, then yes you are vulnerable to attack. This is not new. Most of us, however, are not national security journalists reporting on sensitive state secrets so the CIA hacking our phone is very unlikely. We can and should still use encrypted messaging apps to help keep our messages private and secure from people who a) aren’t as powerful and well-resourced as the CIA and b) far more likely to try to read our messages.

Signal and WhatsApp remain very good ways to communicate when using a mobile phone for nearly everyone. 1 The worst thing to do would be to throw our hands up in the air and give up on our digital security.

If someone tunnels into a bank vault, the unbreakable lock on the vault’s door doesn’t help very much. But we know it’s still a good idea to put a really good lock on your bank vault to deal with other break-in attempts.

There are issues with the way the CIA and other intelligence agencies hoard and use device vulnerabilities without reporting them to the manufacturers of the devices. If vulnerabilities in the devices remain unfixed it means that people’s devices are also open to attack from criminals and from other countries’ intelligence agencies.

From a personal security point-of-view it’s important to keep all of this in perspective. Most people are at far greater risk of their devices being infected from clicking a link in a phishing email than they are of being hacked by the CIA using a vulnerability in their device.

1. Issues about WhatsApp’s data collection and contribution to Facebook’s business model are covered here.

Update 8/3/2017, 10:30am – Added links to further incorrect media coverage that questioned the security of Signal and WhatsApp.