To penetrate the computers of foreign targets, the National Security Agency relies on software flaws that have gone undetected in the pipes of the Internet. For years, security experts have pressed the agency to disclose these bugs so they can be fixed, but the agency hackers have often been reluctant.
Now with the mysterious release of a cache of NSA hacking tools over the weekend, the agency has lost an offensive advantage, experts say, and potentially placed at risk the security of countless large companies and government agencies worldwide.
Several of the tools exploited flaws in commercial firewalls that remain unpatched, and they are out on the Internet for all to see. Anyone from a basement hacker to a sophisticated foreign spy agency has access to them now, and until the flaws are fixed, many computer systems may be in jeopardy.
The revelation of the NSA cache, which dates to 2013 and has not been confirmed by the agency, also highlights the administration’s little-known process for figuring out which software errors to disclose and which to keep secret.
The hacker tools’ release “demonstrates the key risk of the U.S. government stockpiling computer vulnerabilities for its own use: Someone else might get a hold of them and use them against us,” said Kevin Bankston, director of New America’s Open Technology Institute.
“This is exactly why it should be U.S. government policy to disclose to software vendors the vulnerabilities it buys or discovers as soon as possible, so we can all better protect our own cybersecurity.”
The weekend’s release prompted immediate speculation about who might be behind it. A group calling itself Shadow Brokers claimed responsibility. Some experts and former employees suspect, although without hard evidence, that Russia is involved. Other former employees say it is more likely a disgruntled insider seeking to make a profit.
Whoever it is, “it’s very concerning that potentially someone working for another government is essentially holding hostage companies that are sitting behind these [firewalls], making them very vulnerable,” said Oren Falkowitz, chief executive of Area 1 Security and a former NSA analyst.
The firewalls sold by Cisco, Juniper and Fortinet are highly popular and work on large-scale enterprise systems. “These are very, very powerful and successful” products, Falkowitz said. “They aren’t devices bought by two people.”
Already, the firms are racing to reverse-engineer the code, identify any flaws and devise patches. Cisco confirmed Wednesday that one of the flaws was a “zero-day” — previously unknown to the public — and that it is working on a fix. The flaw was in a tool or exploit code-named Extrabacon.
Juniper spokeswoman Leslie Moore said the company is reviewing the released file. “If a product vulnerability is identified, we will address the matter and communicate to our customers,” she said.
Fortinet spokeswoman Sandra Wheatley Smerdon said that the firm is “actively working with customers” who are running the FortiGate firewall version 4.X and that it “strongly” recommends that they update their systems “with the highest priority.”
The government has a process for determining when to share software flaws. Agencies such as the NSA and the FBI are supposed to submit any flaws they discover to a multiagency group of experts, who then weigh whether the advantage of keeping the vulnerabilities secret outweighs the public’s cybersecurity.
White House cybersecurity coordinator Michael Daniel has said that “in the majority of cases,” disclosure of the bug is in the national interest. The multiagency process didn’t really begin until spring 2014. The NSA had had its own internal process for years before that.
Either way, in this case, disclosure never happened.
“This is what happens when you have security agencies hoarding exploits insecurely — poorer security for all,” said Kevin Beaumont, a cybersecurity researcher who verified that some of the leaked tools rely on still unpatched vulnerabilities.
Former NSA personnel who worked with the tool cache that was released say that when they worked at the agency, there was an aversion to disclosure.
“While I was there, I can’t think of a single example of a zero-day [flaw]” used by the agency “where we subsequently said, ‘Okay, we’re done with it and let’s turn it over to the defensive side so they can get it patched,’ ” said the former employee, who worked at the agency’s Tailored Access Organization for years. During that time, he said, he saw “hundreds” of such flaws.
He added: “If it’s something in active use, my experience was they fight like all get-out to prevent it from being disclosed.”
Said a second former employee, who also spoke on the condition of anonymity to describe sensitive government operations: “It’s hard to live in a world where you have capabilities and you’re disclosing your capabilities to your defensive team.”
This former operator said that sometimes a vulnerability is patched, but that “if you weaponize it in a different fashion” with a special technique, “maybe that’s one way to increase the longevity of a tool.”
In that way, a flaw could still be good for several years.
“Two or three years is not really a long time for a bug to go undiscovered,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy & Technology.
For example, a major vulnerability called Heartbleed made its way into the code of widely used encryption software in 2011, but didn’t come to light until 2014, he noted. Last year, Microsoft fixed a critical zero-day bug that had been lurking in Windows for at least a decade.
“There are so many vulnerabilities in software that we can’t possibly find them all,” Hall said. “It’s really kind of scary, especially when you’re talking about technology like firewalls, which are supposed to help keep systems safe.”
Experts studying the release say the material probably was stolen in October 2013, the date of the last file creation. If that’s true, then someone or another spy agency has had time to hack companies using the vulnerable firewalls or watch NSA’s own cyber spying.
Past NSA employees, including former contractor Edward Snowden, say it is unlikely that the material was hacked from the agency’s servers. It is more likely, some say, that the tools were uploaded and inadvertently left by a TAO hacker on a server used to stage hacks on targets. These servers are sometimes called redirectors or staging servers, and they mask the hacker’s true location.
The NSA has always had audit controls on its systems. But particularly in the wake of leaks of classified material by Snowden that began appearing in the media in June 2013, the agency has strengthened its control mechanisms.