Last month, Moscow-based security software maker Kaspersky Labs published detailed information on what it calls the Equation Group and how the U.S. National Security Agency and their U.K. counterpart, GCHQ, have figure how to embed spyware deep inside computers, gaining almost total control of those computers to eavesdrop on most of the world’s computers, even in the face of reboots, operating system reinstalls, and commercial anti-virus products. The details are impressive, and I urge anyone interested in tech to read the Kaspersky documents, or these very detailed articles.
Kaspersky doesn’t explicitly name the NSA, but the connection is obvious. There are similarities between these techniques and Stuxnet, the NSA-led cyberweapon that was used to attack Iran’s Natanz nuclear facility. The NSA-like codenames pepper the Kaspersky findings. A related Reuters story provides more confirmation: “A former NSA employee told Reuters that Kaspersky’s analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.”
In some ways, this isn’t news. We saw examples of these techniques in 2013, when Der Spiegel published details of the NSA’s 2008 catalog of implants. In those pages, we saw examples of malware that embedded itself in computers’ BIOS and disk drive firmware. We already know about the NSA’s infection methods using packet injection and hardware interception.
This is targeted surveillance. There’s nothing here that implies the NSA is doing this sort of thing to every computer, router, or hard drive. It’s doing it only to networks it wants to monitor. As Reuters reported: “Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, according to Kaspersky.” A map of the infections Kaspersky found bears this out.
So, what do we think of this? On one hand, it’s the sort of thing we want the NSA to do. It’s targeted. It’s exploiting existing vulnerabilities. In the overall scheme of things, this is much less disruptive to Internet security than deliberately inserting vulnerabilities that leave everyone insecure.
On the other hand, the NSA’s definition of “targeted” can be pretty broad. We know that it has been accused of hacking Belgacom, the Belgian telephone company and Petrobras, the Brazilian oil company. We know it’s collected every phone call in the Bahamas and Afghanistan. It hacks system administrators worldwide.
On the other hand – or, for science fiction readers, on the gripping hand — I can’t help but recall a line from my latest book: “Today’s top-secret programs become tomorrow’s PhD theses and the next day’s hacker tools.” Today, the Equation Group is “probably the most sophisticated computer attack group in the world,” but these techniques aren’t magically exclusive to the NSA.
We know China uses these sorts of tricks against its own citizens. There have already been both academic presentations and hacker posts on similar techniques. Companies like Gamma Group sell less sophisticated versions of the same things to governments worldwide. We need to figure out how to maintain security in the face of these sorts of attacks, because I expect we’re all going to be subjected to the criminal versions of them in three to five years.
That’s the real problem. Security researcher Steve Bellovin wrote about this:
For more than 50 years, all computer security has been based on the separation between the trusted portion and the untrusted portion of the system. Once it was “kernel” (or “supervisor”) versus “user” mode, on a single computer. The Orange Book recognized that the concept had to be broader, since there were all sorts of files executed or relied on by privileged portions of the system. Their newer, larger category was dubbed the “Trusted Computing Base” (TCB). When networking came along, we adopted firewalls; the TCB still existed on single computers, but we trusted “inside” computers and networks more than external ones.
There was a danger sign there, though few people recognized it: our networked systems depended on other systems for critical files…. Too many threats, such as Word macro viruses, lived purely at user level. Obviously, one could have arbitrarily classified word processors, spreadsheets, etc., as part of the TCB, but that would have been worse than useless; these things were too large and had no need for privileges.
In the 15+ years since then, no satisfactory replacement for the TCB model has been proposed.
We have a serious computer security problem. Everything depends on everything else, and security vulnerabilities in anything affects the security of everything. We simply don’t have the ability to maintain security in a world where we can’t trust the hardware and software we use. When governments and others can secretly subvert security in non-detectable ways, insecurity wins.
Concerted government research on these hard security problems would be a sensible thing for us to do, but it’s not going to happen as long as the government is intent on maintaining these insecurities for attack purposes.
Bruce Schneier is a security technologist, and chief technology officer of Resilient Systems, Inc. His latest book is Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. He blogs here.