New Snowden documents suggest that the NSA is exploiting unpublished flaws in the routers, firewalls and hard drives of the largest tech vendors.
Months into what surely deserves to be called the Internet’s ‘Snowden era’ the leaks keep coming, indeed appear to be getting worse. America’s greatest ever whistleblower (or traitor, take your pick) made his name globally famous by revealing that the NSA had the ability to monitor every and any communication but now it is starting to look as if that’s barely the half of it.
According to new Snowden documents seen by German magazine Spiegel Online, one department of the NSA, the Tailored Access Operations (TAO), has assembled and is exploiting a catalogue of secret vulnerabilities in the routers, firewalls and even hard drives from a group of leading vendors, including Juniper Networks, Cisco, Samsung and even (ironic cheers) Chinese telecoms maker Huawei.
These have been described slightly ambiguously as “back doors” by some journalists but that’s pushing it a bit. In this context a back door could imply a degree of collusion by the maker and there is no evidence that this is the case.
On Sunday 29 December, Cisco’s Senior security officer John Stewart issued a statement expressing his concern at the story, writing that the firm was “deeply concerned with anything that may impact the integrity of our products or our customers’ networks and continue to seek additional information.”
“As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products,” Stewart added.
What the TAO documents refer to are more accurately unpublished flaws or hacks in system firmware that can be exploited for as long as they remain secret and unpatched. The dangers in all this are obvious to Stewart as they should be obvious to anyone. Trust in security equipment isn’t just being eroded in some abstract sense it is now reportedly costing US security vendors sales in Asia and China. This trend could easily accelerate, with damaging consequences if it spreads to Europe.
The irony is almost comic. US politicians have been incredibly leery about allowing US infrastructure firms to buy equipment from China’s allegedly state-affiliated Huawei for fear of covert back doors. Now it looks as if the perceived risk of using Huawei could be less about alleged Chinese government spying than that of the US’s own NSA.
Some could point out that US vendors including Cisco are already required to enable lawful intercepts through the 1994 Communications Assistance for Law Enforcement Act (CALEA) but what Spiegel Online claims it has seen goes well beyond what this surveillance was meant to allow. Looked at more cynically, perhaps the NSA revelations simply strip bare the extent to which the complex security systems and architecture that have been built to protect firms and individuals in the Internet era are an illusion - the wiretap trumps all.
Whether eventually confirmed or not, the claims made about the NSA's TAO are uncomfortable. They confront us with the unpalatable possibility that an agency of the US Government has found a way around the security architecture that secures many Internet and computer systems and for the foreseeable future there will be no patch. Worse, being largely undocumented proprietary firmware, external researchers can’t easily (or legally) get under the hood to look for the flaws in the public interest.
This is uncharted territory for everyone, especially the many organisations that increasingly wonder who to believe. Many in the security industry must now hear the name Edward Snowden with deep dread.