Deciphering the Misleading “Year Zero” Headlines

It’s no news to anyone in the technology industry, particularly security experts, that advanced teams are dedicating resources to create and acquire exploits and bypass encryption.

It has been a race between those working to enable information security and private communications and adversaries trying to circumvent protections. This friction has been and will be constant.

Another constant is that the stability, performance, and security of a product is tied intimately to the system upon which it runs. While the initial headlines about the “Year Zero” release have focused on how the offensive hacking tools can be used to circumvent the security features of particular applications including Signal, WhatsApp, and Telegram, these stories have largely missed the forest for the trees.

misleading zero image

Rather than targeting specific applications, the hacking tools in question target the foundations upon which they rely – the operating system of the device itself. Once an operating system (OS) has been compromised, it becomes almost unavoidable that a sufficiently persistent and advanced attacker will have a better chance of compromising the security products that run on top of it. This was true for the first root kits in the 90’s and it remains true today for modern smart phones and PCs.

Thus, to suggest that the tools described in the “Year Zero” leak circumvent a particular application security is akin to describing a method for walking through walls as a means for picking the lock of a particular lock vendor. While conceivably true in some very vague sense, the real implications of the method are far more profound and the defense is hardly to look for a different lock.

What we need to realize is that stronger security and encryption are vital to protecting critical user information en masse. Just a few years before end-to-end encryption became a norm, there was not much stopping an adversary from harvesting personal or business communications on a global scale. Now, the effort has become much more targeted and expensive.

Apparently, an easier and more fruitful path now is to exploit the operating systems and hardware, which, with varying degree of success, strive to keep up with the arms race.

Today’s release provides valuable information to security engineers across device manufacturers and the developers of mainstream operating systems to harden their products. It should also provide the appropriate motivation at executive levels to ensure there is budget and support for these security teams tasked with this critical mission.

Clearly it is naïve to expect that smart and motivated teams at intelligence agencies won’t continue to push the boundaries to develop techniques that attempt to compromise privacy protections at every layer. It’s their job, they are well-funded, have advanced skills, and are motivated to succeed.

The best thing individuals and organizations can do is ensure that the products and devices they use are built by organizations that commit the appropriate resources to protecting user content.

We, as an industry, must think long-term and promote more responsible management of critical information and communications. Wickr is committed to investing a great deal into our cryptography and software development processes and are well-positioned to be a persistent and advanced adversary to anyone seeking to access user information — individuals, businesses, and organizations using Wickr tools for private communications.

Now that end-to-end encryption has become table stakes, persistent ephemerality and data minimization must become the next milestones for private communications. We look forward to seeing more companies adopting what has been the core principle in all Wickr products to help minimize the window of opportunity for an attacker and ensures that no information lives beyond its useful life and intended recipient.