You know how the USA accused Chinese networking equipment vendors Huawei Technologies and ZTE of posing a threat to US service providers because their telecom hardware might have been rigged to snoop for the Chinese government?
Glenn Greenwald, disseminator of the Edward Snowden leaks, says that's exactly what US intelligence has been doing to other countries.
The Guardian on Monday posted an excerpt from Greenwald's newly published book - No Place to Hide - in which he writes that the National Security Agency (NSA) has been covertly implanting interception tools into US networking equipment heading overseas.
The source is a June 2010 report from the head of the NSA's Access and Target Development department - a document that Greenwald calls "shockingly explicit."
The NSA routinely receives – or intercepts – routers, servers and other computer network devices being exported from the US before they are delivered to the international customers.
The agency then implants backdoor surveillance tools, repackages the devices with a factory seal and sends them on. The NSA thus gains access to entire networks and all their users.
The rigged devices eventually connect back home to the NSA. Greenwald quotes the report:
In one recent case, after several months a beacon implanted through supply-chain interdiction called back to the NSA covert infrastructure. This call back provided us access to further exploit the device and survey the network.
The document displays a certain glee in the agency's tinkering, Greenwald says, again quoting the report:
SIGINT tradecraft … is very hands-on (literally!)
The NSA responded with a statement saying that everything it does is for the country's own good and that it won't comment on specific, alleged activities.
TechCrunch quotes the statement:
As we have said before, the US technology industry builds the most secure hardware and software in the world today. NSA relies on these products to help protect our nation’s most sensitive information and, over the past decade, has turned to commercial technology to replace government-built technology. Given its own reliance on many of the very same technologies that the public uses, the US Government is as concerned as the public is with the security of these products. While we cannot comment on specific, alleged intelligence-gathering activities, NSA’s interest in any given technology is driven by the use of that technology by foreign intelligence targets. The United States pursues its intelligence mission with care to ensure that innocent users of those same technologies are not affected.
As we have previously said, the implication that NSA’s foreign intelligence collection is arbitrary and unconstrained is false. NSA’s activities are focused and specifically deployed against – and only against – valid foreign intelligence targets in response to intelligence requirements. We are not going to comment on specific, alleged foreign intelligence activities. Public release of purportedly classified material about US intelligence collection systems, without context, further confuses an important issue for the country and jeopardizes human life as well as national security sources and methods.
Ranga Krishnan, a technology fellow at the Electronic Frontier Foundation (EFF), said that if Greenwald's report is accurate, it kicks the scope of NSA spying up a notch, beyond merely intercepting internet traffic and right on into the government being able to frolic in unprotected space.
Krishnan referred to another example of unfettered access to data: a Snowden leak that came out in October 2013, this one regarding the NSA allegedly tapping into Google's own data center fiber network, where traffic was then unencrypted.
(Google quickly moved to encrypt its internal network.)
Computerworld quotes Krishnan:
That's how most organizations function So once you're within the company's router, you have access to all that data that's unencrypted.
Of course, on top of free reign with data, once the government's installed a security hole, all sorts of nastiness could also slither in, he said:
If you have made something vulnerable ... somebody else could discover that and very well use it.
Krishnan's recommendation for equipment buyers: seek "convincing" evidence that a supplier's hardware is, in fact, secure.
As Slashdot commenter dougmc notes, the NSA's probably hiring programmers good enough to slip in a backdoor that would pass code review without being detected.