As the RSA Security conference winds down after a long five days in San Francisco this week, the overall debate and discussion has been dominated by serious, daily handwringing over Edward Snowden and the NSA revelations. But the real story that is getting only a fraction of the attention may well be how hackers, legal or not, have been able to capture huge amounts of data from anyone who owns a tech device.
If you are an iPhone owner, you may have noticed that a minor security update to the iOS software that runs you device was “pushed” to all users by Apple last Friday. The original explanation from Apple was that an attacker “with a privileged network position” could capture or modify data.
However, reports in the last few days indicate that the iPhone had a previously undiscovered bug called “Gotofail” that allowed anything a user tweeted, emailed, posted to Facebook, or transacted financially to be listened to by someone else. In other words, over 600 million iPhone users had been victimized by a backdoor.
That the iPhone (and also the Mac OSX as it turns out) could be so easily exploited is surprising to say the least. Apple’s technology (unlike the popular Android platform) has generally been considered to be more secure than others. But the presence of a backdoor, an installed program or piece of code that bypasses security controls and allows unauthorized access, gives rise to speculation that a secret pipeline out of our personal devices may not be a mere accident.
Apple has categorically denied working with the NSA to create a backdoor inside any of their products. But as coder John Gruber pointed out in his blog a few days ago, when iOS 6 was introduced (with the undiscovered bug) in the fall of 2012, the NSA almost immediately began to pull data from the previously impregnable iPhone, according to the documents stolen by Snowden. The tech community is struggling to chalk up the timing of the two events as merely a startling coincidence.
Suspicions about backdoors intentionally placed in operating systems to secretly capture information are not new. When the NSA acknowledged working with Microsoft to develop Windows Vista in 2007 and again on Windows 7 in 2009, there was plenty of speculation that the agency was planting backdoors then. The company’s Scott Charney took great pains to address this issue again in his RSA speech on Tuesday when he emphatically denied that Microsoft had ever knowingly put backdoors in its software.
General Michael Hayden, former director of both the NSA and CIA, talked about the use of these at an Aspen Institute conference back in 2011. His talk was directed at the role of backdoors to combat international terrorism, but Hayden dropped a hint about other uses in his RSA appearance this week when talking about the NSA’s current problems. “The NSA is being condemned because they’ve been listening to good people,” said the former agency chief.
Continuing revelations pouring out of the NSA documents point toward the use of backdoors in an astounding number of devices. Two months ago, Der Speigel newsmagazine reported that the NSA had compromised products made by Cisco, Dell, Juniper, Maxtor, Samsung, Seagate, Western Digital, and the Chinese giant Huawei. The companies have all denied working with the spy agency so the assumption at this stage is that the NSA found a way to infiltrate the technology by remote means.
The fact that backdoors were there at all suggests that privacy in today’s uber-connected world is rapidly becoming a distant memory. There has been much outrage about documented instances where foreign nations, such as China, routinely hacked into American networks. But as Nicole Perlroth, a cybersecurity reporter for the New York Times, commented at an RSA panel discussion on Wednesday, “It’s a little awkward to be calling out China when what we’re doing seems to be so successful.”
In his opening remarks at the big cybersecurity conference this week, RSA chairman Art Coviello said, “We’re in the midst of chaos and confusion…where this is a lack of societal norms to guide our digital world.” Now, after a week of teeth gnashing and high level concern, it will be interesting to see what the security industry does about it in the months ahead.