As the world comes to terms with the full seriousness of the Heartbleed bug, questions are starting to be asked about the role that the National Security Agency (NSA) may have played in the security flaw. On the morning of Friday 11th April rumours started to circulate on social media sites such as Twitter and Reddit, and it wasn’t long before they were picked up by the mainstream press.
Bloomberg published an article claiming that two people close to the NSA had informed them that the infamous government agency had known about Heartbleed for as long as two years – using it to gather critical intelligence, obtain passwords, and grab other basic data that ultimately became the foundation for its recent-unveiled hacking operations.
Knowledge of the Heartbleed flaw supposedly allowed the agency to bypass strong encryption systems – the same systems that had been hailed by Edward Snowden as “one of the few things that you can rely on” in a Q&A session with British newspaper The Guardian in June 2013.
Social media users came down on both sides of the argument, some praising the NSA for using the bug to their advantage, whilst others criticised the agency for allowing the flaw to carry on for so long unreported.
The agency initially declined to comment on the story, but by mid-afternoon they were forced to deny that they had any knowledge of the glitch. NSA spokesperson Vanee Vines issued the following statement to the media:
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong”
The statement was quickly ridiculed, with people pointing out that given the NSA’s history of lying, there was no reason to suddenly believe them in this latest episode.
As the rumours refused to die, the Federal Administration was forced to take action. The White House National Security Council Spokesperson Caitlin Hayden followed her NSA counterpart by issuing a statement on behalf of Barack Obama and the American government:
“If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL”
Although the story fans the flames of anger that many still feel after last year’s NSA spying revelations, it has to be pointed out that the practicalities of using Heartbleed to steal data are not particularly efficient for the agency.
As Wired Magazine points out, the nature of the bug means only 64kb data of system’s memory can be obtained by sending a query, and the data that is returned is entirely random. There is no limit to the number of queries that can be made, but nobody has yet come forward with method that proves the ability to reliably and consistently extract a server’s persistent key by using Heartbleed. Various challenges have started to emerge online to crack the code, with website optimisation company Cloudfare issuing the following statement:
“If it is possible [to retrieve a private key], it is at a minimum very hard. We have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible”.
That said, the NSA has held ambitions of cracking SSL to decrypt traffic for a long time. Since British press reported that in late 2013 the NSA and its UK counterpart GCHQ had successful hacked much of the encryption used to protect bank accounts, emails, and online transactions, there has been increasing speculation amongst security experts about whether the agency had finally achieved its goal.
Ultimately no one can be sure of whether the NSA was involved. Given the lack of hard evidence is would be dangerous to suggest that they were definitely aware of Heartbleed, but it could also be argued that there is no smoke without fire. It’s for you to decide.
Do you think the NSA was involved, or are the reports a result of the media taking advantage of the public’s sense of vulnerability? Let us know in the comments below.
Update: Since this article was first written least four people have independently solved Cloudfare’s Heartbleed Challenge. The first to do so was software engineer Fedor Indutny at NCSC-FI, roughly 9 hours after the challenge was first published. Fedor sent 2.5 million requests over the course of the day.
It means website hosts now need start the expensive and time consuming job of revoking their SSL certificates. Failure to do so jeopardises both the site and its users because it means hackers that have the private keys can impersonate servers even if they have already been patched.
By Daniel Price