Sophos Cloud Optix
You know how the USA accused Chinese networking equipment vendors Huawei Technologies and ZTE of posing a threat to US service providers because their telecom hardware might have been rigged to snoop for the Chinese government?
Glenn Greenwald, disseminator of the Edward Snowden leaks, says that’s exactly what US intelligence has been doing to other countries.
The Guardian on Monday posted an excerpt from Greenwald’s newly published book – No Place to Hide – in which he writes that the National Security Agency (NSA) has been covertly implanting interception tools into US networking equipment heading overseas.
The source is a June 2010 report from the head of the NSA’s Access and Target Development department – a document that Greenwald calls “shockingly explicit.”
Greenwald’s allegation:
The NSA routinely receives – or intercepts – routers, servers and other computer network devices being exported from the US before they are delivered to the international customers.
The agency then implants backdoor surveillance tools, repackages the devices with a factory seal and sends them on. The NSA thus gains access to entire networks and all their users.
The rigged devices eventually connect back home to the NSA. Greenwald quotes the report:
In one recent case, after several months a beacon implanted through supply-chain interdiction called back to the NSA covert infrastructure. This call back provided us access to further exploit the device and survey the network.
The document displays a certain glee in the agency’s tinkering, Greenwald says, again quoting the report:
SIGINT tradecraft … is very hands-on (literally!)
The NSA responded with a statement saying that everything it does is for the country’s own good and that it won’t comment on specific, alleged activities.
TechCrunch quotes the statement:
As we have said before, the US technology industry builds the most secure hardware and software in the world today. NSA relies on these products to help protect our nation’s most sensitive information and, over the past decade, has turned to commercial technology to replace government-built technology. Given its own reliance on many of the very same technologies that the public uses, the US Government is as concerned as the public is with the security of these products. While we cannot comment on specific, alleged intelligence-gathering activities, NSA’s interest in any given technology is driven by the use of that technology by foreign intelligence targets. The United States pursues its intelligence mission with care to ensure that innocent users of those same technologies are not affected.
As we have previously said, the implication that NSA’s foreign intelligence collection is arbitrary and unconstrained is false. NSA’s activities are focused and specifically deployed against – and only against – valid foreign intelligence targets in response to intelligence requirements. We are not going to comment on specific, alleged foreign intelligence activities. Public release of purportedly classified material about US intelligence collection systems, without context, further confuses an important issue for the country and jeopardizes human life as well as national security sources and methods.
Ranga Krishnan, a technology fellow at the Electronic Frontier Foundation (EFF), said that if Greenwald’s report is accurate, it kicks the scope of NSA spying up a notch, beyond merely intercepting internet traffic and right on into the government being able to frolic in unprotected space.
Krishnan referred to another example of unfettered access to data: a Snowden leak that came out in October 2013, this one regarding the NSA allegedly tapping into Google’s own data center fiber network, where traffic was then unencrypted.
(Google quickly moved to encrypt its internal network.)
Computerworld quotes Krishnan:
That's how most organizations function So once you're within the company's router, you have access to all that data that's unencrypted.
Of course, on top of free reign with data, once the government’s installed a security hole, all sorts of nastiness could also slither in, he said:
If you have made something vulnerable ... somebody else could discover that and very well use it.
Krishnan’s recommendation for equipment buyers: seek “convincing” evidence that a supplier’s hardware is, in fact, secure.
How?
As Slashdot commenter dougmc notes, the NSA’s probably hiring programmers good enough to slip in a backdoor that would pass code review without being detected.
Image of spying courtesy of Shutterstock.
I don’t really know how shocked we should be by this news. It was widely known that the NSA working with Bell Labs, back in the 60’s, to insert backdoors into exported phone switches and PBX gear. Former NSA employees would brag about the ability to monitor every call that went through this compromised gear, much of which was bought by foreign national telecoms. These same braggers would boast that the NSA had a kill switch that would shut down these systems and kill communications in these countries.
So basically, one can forget about real privacy from the government’s prying eyes. Because no matter how many different certifications and standards a vendor has passed, there is always the chance that there is a back door wide open.
… and most are “managed” by the vendor for “Maintenance\diagnostic” reasons.
So what do you have to do? Encrypt all communication, even communications to yourself within your own computer?
This is not news. If you read the dumped files from the snowden incident you saw this last year, along with a description of all the little devices they deploy.
So… the fact that China has been selling counterfeit CISCO gear is not a problem… with anyone?
This is shocking! The NSA is a spy agency. Are you telling me they are actually spying? Who would have guessed?
Well done NSA. A spy agency coming up with some novel ways of spying.
What is shocking is the rather silly idea that given a choice between using their limited resources to …
a) intercept a suspected extremist in Pakistan emailing a jihadist in Syria via a doctored router in Turkey
or
b) intercepting my email confirming I want size 8 gloves not size 9 from an online retailer (my last email)
… they would choose to expend resources on my emails
I’m not sure whether this constant ‘NSA is watching YOU’ misrepresentation by the media is silly or whether it is a deliberate intent to mislead.