PC: Ars Technica
When the Snowden docs were published, the big surprise was how deeply the U.S. Government had penetrated networks, and how they were sucking up data at a global scale. We had everything from PRISM, to XKEYSCORE, to the infamous “SSL added and removed here.”
Though there were some references to device-level exploitation, the emphasis seemed to be at the network level attack. The summer of 2016 saw the release of tools from the Equation Group, which included both attacks against network hardware but also many tools for endpoint exploitation. The latest leak of the Vault 7 files includes many exploits, but unlike previous leaks, initial analysis seems to indicate that they are entirely for attacks against endpoints.
This transition from network level to endpoint-focused attack is an interesting trend that points to an interesting hypothesis: Encryption is working.
Encryption – and particularly end-to-end encryption – fundamentally changes the cost of attacks. No longer can an adversary simply sniff network traffic, either locally or globally. To eavesdrop on communications they must take the more expensive and risky approach of compromising endpoints.
Yes, the many exploits in the Vault 7 leak show that endpoints can be compromised; but endpoint attacks are less desirable and cost much more. Endpoint attacks are less effective, as they:
- Reveal the target of the attack.
- Are more likely to be detected.
- Only compromise a single target at a time.
- Don’t automatically follow targets to new devices.
In addition, they are expensive! A 0day iOS exploit is worth hundreds of thousands of dollars, and will become worthless as soon as it is discovered. Equally as bad, once fingerprints of malware can be deduced, the software which may have taken years to develop should be abandoned.
Security is a game where one of the most effective tools defenders have is to drive up the risk and cost for attackers. End-to-end encryption is one of the most effective tools to achieve this goal.