GCHQ and NSA’s mission to subvert anti-virus software

Douglas Crawford

Douglas Crawford

June 26, 2015

According to new Edward Snowden documents released on Monday by The Intercept, the NSA, and in particular its UK sidekick GCHQ, have been systematically working to reverse engineer popular commercial security products (most notably anti-virus software).

reverse 1

The spy agencies have reverse engineered software products, sometimes under questionable legal authority, and monitored web and email traffic in order to discreetly thwart anti-virus software and obtain intelligence from companies about security software and users of such software.

The documents do not describe any actual security compromises, but rather put on show the methods used by the NSA and GCHQ to undermine software that millions of people worldwide rely on to secure their data. One document shows an application for a warrant to reverse engineer security software because,

These actions, and others necessary to understand how the software works, may represent infringement of copyright. The interference may also be contrary to, or inconsistent with, the provisions of any licencing between GCHQ and the owners of the rights in the software.

This need for a warrant highlights the legal difficulties involved in reverse engineering products, when the relevant governments themselves have passed strict laws in support of software manufacturers precisely to prohibit such tampering!

Kaspersky Lab

One name that repeatedly comes up in the documents is that of respected Russian security outfit Kaspersky Lab, which appears to somewhat worry the UK spy agency,

Personal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ’s CNE [Computer Network Exploitation] capability and SRE [software reverse-engineering] is essential in order to be able to exploit such software and to prevent detection of our activities.

This concern is also demonstrated by a 2010 slide presentation on ‘Project Camerdada’, in which the NSA discusses how it intercepted emails to Kaspersky that contained samples of malware. Some documents seem to suggest that the NSA was able to obtain information sent between Kaspersky’s company servers unencrypted because it was contained in the User-Agent Strings in the HTTP header requests.

reverse 2

Kaspersky denies that information could be leaked in such a way as it is anonymized so it ‘cannot be attributed to a specific user or company.’ As The Intercept article notes, however, Kaspersky has been known to fluff up before.

Despite the fact that Kaspersky is clearly capable of making mistakes (who isn’t) that are almost immediately jumped on by security agencies who clearly single the company out for special targeting, the fact that Kaspersky is such a target means we can be fairly confident that, unlike many other US and UK based security companies, it is not working hand in glove with security agencies to betray its customers…

Not just Kaspersky

The NSA and GCHQ clearly have their sights set on undermining and subverting all commercial security products, as another slide clearly demonstrates.

reverse 3

We are interested to note that no United States based anti-virus or security companies appear on this list (such as Norton Anti-virus maker Symantec Corporation), but can only speculate on the reasons why…

Although some may think that such wholesale assaults on the systems used to protect private and corporate data might be part and parcel of a spy agencies’ job (would we be so concerned to discover they had researched how to circumvent popular models of physical locks?), such attacks weaken all security, and make all users of the internet more vulnerable to theft and malicious damage.

Exclusive Offer
Get NordVPN for only
Get NordVPN for only