but it is powerless when someone logs directly into a user’s phone
Thats true for every form of encryption, if you have the private key (ie. the users phone), you can access the data....
However that hides the real attack vector. Many of these "encrypted chat" stores the data unencrypted on local device....the problem comes if you have some type of "backup my phone to the cloud" service turned on (which both iphone and android have). Then those chats go to the cloud where who knows who has access....
Bingo. That's exactly why is recommended (for curious minds) to use new breed of OS like Graphene and new chats like keet that go directly p2p (remember napster? :-)
It is up to an individual to decide what to use, cool iPhone or more restricted OS and limit what you share.
In my opinion ( I know, no one asked..lol) the moment you send any data from your phone, you should consider it gone.... YMMV of course
As soon as they have access to your phone the encryption doesn't help. At that point they can do whatever, inject the app with custom logger, run extraction when user opens the app, etc.
What a suprise...I am very happy only using simplex and xmpp. Even signal is strange, requires phone number and you can't self-host or intercomunicate with xmpp servers, why?
Signal uses phone numbers for contact discovery, which is an expected feature in a mainstream messaging client.
Unlike every other client that steals your contact list and builds a social graph, signal does this in a way that signal does not learn the contact list! https://signal.org/blog/private-contact-discovery/
It was a design choice to use phone numbers as IDs, as WA, Line and other clients were also doing at the time.
XMPP is a base layer protocol used and often modified my those companies. In the begginings of big tech, facebook, google talk, whatsapp, signal all started using xmpp and it was even interoperable between the nerd cousin's server and facebook, google talk. If you want to dig a bit read this: https://en.wikipedia.org/wiki/XMPP
Simplex on the otherhand is much newer protocol that works in a similar way of nostr, using relays so users don't need an account on a certain server but are really the owners of their accounts and can choose on which server(s) to connect with. Try it on practice, simplex is very easy to use and setup, no phone number or email needed, and you can find it on app store or play store. Even better if you're using graphene, just download it from f-droid. Peace!
Any intelligence agency can target your device with malware that will give them full control. The primary defense you have against this attack is keeping your device fully patched and updated.
The attack could target the messaging software on the device, the mobile Operating system, or even the cellular circuitry before it reaches the Operating System!
Thus, the choice of operating system does not matter if the phone hardware has a vulnerability in its low level firmware.
GrapheneOS has additional hardening over the open source Android, and also implements fixes from Android; But it is not immune to this attack. It is just as important to keep it patched and up to date.
rt.com is blocked in some countries, because it's notorious for injecting Russian propaganda into articles. Usually the articles are carefully selected to make the US look bad and to instill fear in some way. It's always 2 articles good, 1 article propaganda.
Also pay attention to the words they use - they are really good at this actually - the words always manipulate your feelings about the topic and make you hate the west, the US, the democracy, etc. Between the lines it also implies - oh look at how Russia doesn't have this problem and thus is amazing.
I had to use a VPN to access that article, my ISP blocks the domain. The same with my mobile connection, so it must be a UK-wide thing.
Try using Tor?
CIA hacks phones using spyware Pegasus, which can sneak in through system bugs and bypass encryption.
GrapheneOS is way more secure than regular Android because it cuts out Google, tightens app permissions, and locks things down. It’s not totally unhackable, but it makes it a lot harder for anyone to break in.
I just copypasted the whole article for you.
CIA can read WhatsApp messages – Zuckerberg
Encryption prevents Meta from accessing chats, but it is powerless when someone logs directly into a user’s phone, the company’s CEO has said
Meta CEO Mark Zuckerberg has acknowledged that US authorities, including the CIA, can access WhatsApp messages by remotely logging into users’ devices, effectively bypassing the platform’s end-to-end encryption.
Speaking on the Joe Rogan Experience podcast on Friday, Zuckerberg explained that while WhatsApp’s encryption prevents Meta from viewing message content, it does not protect against physical access to a user’s phone.
His comments came in the context of a question by Rogan about Tucker Carlson’s quest to set up an interview with Russian President Vladimir Putin. In February last year, while speaking about finally succeeding in talking to Putin after three years of failed attempts, Carlson blamed the US authorities, namely the NSA and the CIA, for stalling his efforts. According to Carlson, the agencies spied on him by tapping his messages and emails, and leaked his intentions to the media, which “spooked” Moscow from talking to him. Rogan asked Zuckerberg to explain how this could have happened given encryption safeguards that are supposed to protect messages.
“The thing that encryption does that’s really good is it makes it so that the company that’s running the service doesn’t see it. So if you’re using WhatsApp, there’s no point at which the Meta servers see the contents of that message,” Zuckerberg said, noting that even if someone were to hack into Meta’s databases, they could not access users’ private texts. The Signal messaging app, which Carlson used, uses the same encryption, according to Zuckerberg, so the same rules apply. However, he noted that encryption does not stop law enforcement from viewing messages stored on devices.
What they do is have access to your phone. So it doesn’t matter if anything’s encrypted, they could just see it in plain sight,” he clarified. Zuckerberg mentioned tools such as Pegasus, a spyware developed by the Israeli company NSO Group, which can be covertly installed on mobile phones to access data.
According to Zuckerberg, the fact that users’ private messages can be jeopardized by directly breaking into their devices is the reason Meta came up with disappearing messages, where one can have one’s message thread erased after a certain period of time.
“If someone has compromised your phone and they can see everything that’s going on there, then obviously they can see stuff as it comes in… So having it be encrypted and disappearing, I think is a pretty good kind of standard of security and privacy,” he stated.
Zuckerberg’s remarks come amid ongoing debates about digital privacy and government surveillance. While end-to-end encryption is lauded for protecting user data, agencies like the CIA and FBI have argued it can impede efforts to combat crime and terrorism. A 2021 FBI training document indicated that US law enforcement can gain limited access to encrypted messages from services like iMessage, Line, and WhatsApp, but not from platforms such as Signal, Telegram, Threema, Viber, WeChat, or Wickr. Additionally, while encrypted messages cannot be intercepted during transmission, reports indicate that backups stored in cloud services may be accessible to law enforcement if an encryption key is attached.
Oh, I apologize. I was replying to someone and misunderstood, thinking you couldn't access the article. However, it could help anyone who can't access the article like you. Thanks
This is no surprise.
Intelligence agencies are not magic, they rarely have the computational capabilities to break encryption. Communications are subverted by capturing the text either before it is encrypted, or in the clear on the device after it is received.
There are many vendors of software around the world that sell to Governments to enable complete compromise of devices. Pegasus by NSO is just the most famous. NSO has been sanctioned, so it is unlikely this was used in this case. There are however many more to pick from, unfortunately. RT is suggesting that an intelligence agency "RAT'd" (Remote Access Trojan) Tuckers phone.
Malware that can compromise a device is, again, not magic, but relies on unpatched vulnerabilities in software. The worst being the '0-click', where a malicious message sent from the attacker is able to exploit some bug in the operating system and hand control to the attacker. The large amount of possible file types and messages that a device can understand makes this easier to find places with buggy code.
The device vendors put considerable efforts into fixing these vulnerabilities.
Next time someone finds a 'killer' bug in android or ios, and someone suggests selling that exploit for a payday (shady brokers might pay 20 BTC or more), know that its final usage will be attacking peoples devices around the world.
I believe Meta's claims.
Meta claims that WhatsApp implements the Signal Protocol. They claim they have implemented end-to-end encryption for messages.
To disbelieve this would require a conspiracy of tens of thousands of engineers and technical staff around the world working at Meta.
RT is not saying anything controversial or surprising here. Their credibility as a news source does not detract from suggesting a likely and technically possible scenario. They suck, but their sucking is not that relevant here.
To be honest, both. But it's just the article that talks about Joe's podcast with Zuckerberg. I'll make sure not to share from this source again, sorry.
This post might be more relevant and engaging in the ~conspiracy or ~privacy territory.