A seminal 2015 paper argues that if you leave a key under the doormat, a burglar eventually finds it. When law enforcement argues it needs a “backdoor” into encryption services we need to ask whether we should entrust a key to someone who gets robbed, perhaps frequently?
In March, WikiLeaks released nearly 9,000 documents exposing the CIA’s hacking arsenal. More so-called Vault 7 secrets trickled out as recently as this week. And then there’s the mysterious group or individual known as the Shadow Brokers, which began sharing purported NSA secrets last fall. April 14 marked its biggest drop yet, a suite of hacking tools that target Windows PCs and servers to devastating effect.
The fallout from the Shadow Brokers has proven more concrete than that of Vault 7; one of its leaked exploits, EternalBlue, facilitated last month’s WannaCry ransomware meltdown. A few weeks later, EternalBlue and two other pilfered NSA tools helped advance the spread of Petya, a ransomware outbreak that looks more and more like an act of cyberwar against Ukraine.
“If a hacker were to compromise a significant encryption platform, we could see something much worse than the WannaCry ransomware attack,” says Mitnick. WannaCry froze up hundreds of thousands of computers; WhatsApp, which uses Open Whisper Systems’ Signal Protocol, has well over a billion users with default, end-to-end encrypted chat. The implications come into even sharper relief when you consider countries where access to encrypted chat provides the best defense against oppressive regimes.