Vault 7 and the Consequences for Enterprise Messengers

WikiLeaks released a series of documents, which describe surveillance activities and capabilities of the United States Central Intelligence Agency (CIA) in the last couple of years

Teamwire, Mar 13 2017

Especially they explain in detail how the CIA performs electronic surveillance and cyber warfare. These documents, which are called Vault 7, are currently all over the news and get enterprises to worry about the security of their mobile devices and services in use. Is enterprise data on mobile devices safe? Can enterprises protect communication with strong encryption? Are enterprise messengers secure?


Older Operating Systems Have Security Vulnerabilities


To start with it should be said, that most of the documented cyber-attacks and exploits are for older operating system versions of iOS and Android. Apple stated that many of these exploits have been patched already in newer versions of iOS. In addition, Apple is currently evaluating and addressing any remaining vulnerabilities. Google released a similar statement for Android. However, due to the high fragmentation of the Android operating system and the often limited availability of updates the number of affected and potentially insecure devices is significantly higher on Android.


=> Consequence: Enterprises should use mobile devices with frequent operating system updates, and always update to the latest software version.


Data Stored on the Mobile Device Needs to be Protected


In case an operating system has security vulnerabilities, cyber-attacks could target the enterprise data stored on a mobile device. While this kind of wiretapping is resource intensive and normally focussed on key individuals, the damage can be considerable. Enterprises should make sure there is as little data as possible (and as required) available on mobile devices. This can be achieved with data retention policies that automatically delete enterprise data from mobile devices after a defined time span (e.g. 1 day or 1 week). Besides the enterprise messenger should store app data encrypted in an own container, which makes eavesdropping corporate data more difficult.


=> Consequence: Enterprises should set up data retention policies for the enterprise messenger and ensure encrypted data storage on mobile devices.


Strong Encryption Protects Against Mass Surveillance


It seems messengers, which offer stronger encryption such as Telegram, WhatsApp and Signal, weren’t reported to be cracked. Their encryption can be bypassed by capturing text input or digital content before the encryption is applied. However, this is not really big news. If the operating system has security weaknesses or there might be any kind of backdoors that allow to access the device, methods such as key logging or recording the touch input from the user have existed for a long time. However, these methods of accessing messages differ from obtaining access by decrypting an already encrypted message, which has not been reported. Therefore it can be assumed that strong encryption is still an adequate means against mass surveillance.


=> Consequence: Businesses should use enterprise messengers with strong encryption (transport encryption with SSL/TLS is not enough).


Services with Millions of Users Are Preferred Targets


Whatsapp has a billion users and Telegram several hundred millions. Needless to say, the CIA has a strong interest in accessing the communication of certain individuals using these services. While hacks of Whatsapp, Telegram and similar services with millions of users have not yet been reported, it can be assumed that several agencies are currently working on successful mass surveillance methods for these messengers. In addition, Whatsapp keeps logs of who talked to whom, and access to these records alone could become a problem for enterprises.


=> Consequence: Businesses should deploy dedicated enterprise messengers and should not use consumer messaging apps like Whatsapp or Telegram.


If you want further information, what measures are important for the security and data protection of enterprises, and how you can protect your business communication with a secure messenger for enterprises like Teamwire, please contact us.