No sooner than the security researchers who discovered the ‘catastrophic’ Heartbleed bug, a two year old security hole in OpenSSL (the internet’s most popular encryption library) that could lead to over two thirds of all secure internet sites being compromised, made their findings public last Monday, speculation has been rife that the NSA knew about the bug all along.
Accusations that the NSA deliberately engineered the bug in the open source software were scotched on Friday when German programmer Robin Seggelmann admitted making an ‘oversight’ while working on the OpenSSL code,
‘I am responsible for the error, because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version.’
Although some have seen this as a failure for open source, others including Seggelmann himself, have claimed that it is in fact a victory,
‘I don’t see it as a failure of open source. On the contrary, the publicly accessible code made it possible that the error has been discovered and published.’
Seggelmann instead blamed the lack of resources available to the open source community for the delay in discovering the ‘simple programming error’.
So the NSA did not engineer the flaw, but did they know about it, and have they exploited it? Given its past history of deliberately undermining popular encryption standards, it is hardly surprising that many suspect the NSA of already being aware of, and actively taking advantage of the bug, and in September, when the Guardian disclosed Edward Snowden documents showing the scale of this tampering with commonly used encryption standards (in a program known as ‘Bullrun’), it reported that,
‘The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.’
Exactly what these capabilities were remained something of a mystery, but the cat was put among the pigeons on Friday when Bloomberg reported that two unidentified sources close the NSA had confirmed the NSA knew about the Heartbleed flaw, and ‘regularly used it to gather critical intelligence.’
The news shot around the internet, and although it initially refused to comment, the NSA later made the following statement denying knowledge of the bug,
‘Reports that N.S.A. or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report.’
The debate still rages, fueled by knowledge that the NSA actively seeks out encryption flaws in software so that it can exploit them, and in contrast to the limited resources available to open source projects, it employs over 1,000 experts dedicated to seeking out such flaws. In 2010 the NSA’s UK sidekick GHCQ stated in a leaked document that it had obtained ‘vast amounts of encrypted internet data which have up till now been discarded are now exploitable’. This statement dates to before the Heartbleed vulnerability was introduced, but clearly demonstrates the spying agency’s dedication to cracking encryption.
If the NSA did know about the bug, then questions must be raised not only about the reach of its own spying programs, but about how such knowledge secretly hoarded for its own nefariously purposes jeopardises the security of the entire internet. As Harley Geiger, senior counsel for the Center for Democracy & Technology in Washington observes,
‘What may be a good tool for the NSA may also turn out to be a tool for organizations that are less ethical or have no ethics at all.’