This article is somewhat a sequel of my thoughts about the Wannacry case.
The NSA relies on a large database of undisclosed and unfixed software vulnerabilities database to allow them to hack their way into any system either deemed hostile or useful for their intelligence gathering. As explained by explained by the former NSA director Michael Hayden:
If the agency thinks that no one else will be able to exploit a vulnerability, it leaves the problem unfixed to aid in its own spying efforts.
It is only if the NSA estimates that the exploit may be known to someone else, and therefore represents a potential risk to the US safety, that they will inform the vendor for the vulnerability to get fixed.
It may happen that sometime this process gets a hiccup, with a vendor interfering with NSA activity like it most probably happened to Microsoft with the MS08-067 case. Microsoft detected that an unidentified attacker was using a unknown vulnerability in Windows to get access to systems located in Asia. Microsoft provided a corrective and massively urged their customers to apply the associated update.
I may be speculating, but it seems reasonable to me to think that Microsoft and the NSA should then be working closely in order to better protect their mutual interests without stepping on each other’s toes. Such cooperation can follow various routes:
Despite regular claims such as “we do not provide any government with the ability to break the encryption” or “our products do not contain back doors”, the past proved that Microsoft accepts to put backdoors in their system as per request from allied governments, as shown by the infamous Microsoft KB article KB955417 published in 2008. The KB article itself has recently been retired from Microsoft website, only the associated updates remain available, so here is the KB content:
To make sure that the product was available to the French market in a synchronized manner with all locales, Microsoft chose to disable the encryption of Protected Storage by using a single, fixed encryption key for the French locale.
This is then what a real-life vendor backdoor in an operating system would look like. Some may argue this is old story, but Microsot also does this with their multiple online services (bypassing users data encryption here again, it is at this occasion that the NSA praised Microsoft stating how “collaborative teamwork was the key to the successful addition of another provider to the Prism system”) and the recent leak of a “golden key” made a backdoor to turn back against themsleves (and all their users). Microsoft is not the only one to implement such kind of feature, and the NSA is known to actively pay cooperating companies to comply with NSA’s surveillance program or, even worse, to include NSA-designed flaws in their products.
The NSA may inform Microsoft about vulnerabilities they find with Microsoft commitment to not fix them until otherwise noticed. This allows the NSA to avoid an issue as mentioned above of Microsoft fighting against an “unknown attacker” which may be the NSA itself working for US interests, and this allows Microsoft to prepare fixes in advance in case things may go wrong.
This collaboration however does not seem to work how it should be (see the February Patch Tuesday cancellation which should not have happened) and Microsoft seems (at last!) to adopt a strong discourse regarding the current situation:
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. […]
Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. […]
The governments of the world should treat this attack as a wake-up call.
Let’s just hope that these are not more empty words, as this goes along the line with the discourse of multiple security researchers who are, for years, already raising the danger caused by not fixing known vulnerabilities and pointing NSA’s overconfidence in their ability to determine other actor’s ability to discover, acquire and/or use NSA known vulnerabilities.
Some security companies and agency used to consider themselves out-of-reach. The risk for opponent to breack into their system and, not only acquire their data, but also publicly use it was perceived as a purely theoritical risk. The NSA, the CIA, Gamma, Hacking Team, and the list goes on: all these are concrete examples that this risk is now anything but theoretical.
The Shadow Brokers shows us a glimpse of the practical consequences of neglecting this risk, not in the diplomatic sphere but this time in the real, physical world.
As stated by Edward Snowden:
This weekend, NSA’s tools attacked hospitals.
Schneier already warned us:
There’s something going on inside the intelligence communities in at least two countries. […] We have no idea why, or where it will go next, and can only speculate.
We can speculate, but we can also hope:
- As a security professional or enthusiast, we can hope that the private and public organizations will go toward cleaner IT sanity measures and responsible IT management, and that people always remember that the “virtual world” is not limited to the space of your screen but that every action may have a direct impact into other people lives.
- As a citizen, we can hope that our governments will put their arm wrestling on hold: what last years was an information disclosure became a global cyber-attack with dramatic consequences in certain cases today. We can hope that they will instead act responsibly not to win a power demonstration outbid but to ensure people safety which should have always been their main goal all along.