NSA denies exploiting Heartbleed bug for surveillance

The National Security Agency (NSA) has dismissed reports that it has been exploiting the Heartbleed vulnerability to carry out internet surveillance.

The NSA headquarters in Fort Meade, Maryland
The NSA headquarters in Fort Meade, Maryland

Citing “two people familiar with the matter”, Bloomberg reports that the US surveillance agency has been aware of the bug for two years, and has been exploiting the vulnerability ever since to gather ‘critical intelligence' from websites.

The report adds that the Heartbleed bug, which exploits a flaw in the Secure Sockets Layer (SSL) and Transport Layer Security protocol (TLS) designed to stop prying eyes viewing internet activity, has been used by NSA officers to obtain passwords and other basic data to act as the “building blocks of the sophisticated hacking operations at the core of its mission.” Bloomberg reporters said that this would leave ‘ordinary users' vulnerable to attack from other nations' intelligence arms and criminal hackers. 

The NSA was quick to respond to the allegations, issuing the following statements just two hours after the story broke. 

"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong," said White House National Security Council spokeswoman Caitlin Hayden in a statement. 

“This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet,” Hayden added. 

Sceptics, however, are unlikely to be moved by such a response, especially in light of the agency's recent activities. The Verge reports that the agency is spending just under £1 billion (US$ 1.6 billion) a year on data processing and exploitation, while The New York Times added over the weekend that President Barack Obama himself has decided that the agency should reveal Internet flaws to the general public, but only if it's “a clear national security or law enforcement need”. This would seem to chime with the Bloomberg source who said that NSA decided not to warn US citizens and companies that their data was at risk from the compromised Heartbleed websites. 

Nick Pickles, director of civil liberties group Big Brother Watch, told SCMagazineUK.com that – if the rumours are true – it goes against what is supposed to be the NSA's mission. 

“There is a fundamental contradiction in having the NSA be responsible to cyber security and exploiting vulnerabilities in software,” he said via email. 

“Whether or not the NSA knew about Heartbleed, the wider question about whether the NSA should have a duty to notify software producers of vulnerabilities in their products must be addressed. President Obama's NSA review made clear that cyber offense and cyber defence should be done by separate organisations but that question has been wholly ignored by the White House.” 

“Confidence in online security is the basis of the digital economy and much of the real world economy. If people think that Government agencies will allow security vulnerabilities to be stockpiled and traded between intelligence agencies, rather than being fixed as soon as possible, then people will rightly question whether their confidence is misplaced. This is such a critical question that it cannot be dealt with in vague assurances and Congress should put on a legal footing the Government's responsibilities to maintain the integrity of essential networks above potential intelligence benefits.” 

In an interview with SC, Dave Lacey, futorologist and IOActive, added that while consumers should 'not be surprised' if the NSA is exploiting the bug, it is the organised criminals that represent the greater risk.

"No security technology is 100 percent secure. There are always potential flaws in design, implementation, administration and use," he said via email.

"The problem with Heartbleed illustrates the danger of technology monoculture. When something goes wrong the impact is potentially huge. The average citizen or business should not be surprised or worried about NSA exploiting the bug. It's organised crime we have to worry about. Fortunately the exploitation looks relatively difficult."

The report could well see questions asked of the Obama government and specifically on its intention to reform NSA actions and practices, but this is on the basis that Bloomberg's story is correct – some in the industry have speculated on how true the story is, with infosec expert Ashkan Soltani tentatively suggesting that there may have simply be confusion between the reporter's initial question on Heartbleed and the source's more general comment on the NSA's ability to monitor or break SSL. 

Heartbleed was first brought to public attention on 7th April by researchers at Google and small Finnish security firmCodenomicon, who discovered that web servers and other kit running Open SSL encryption system versions 1.0.1 to 1.0.1f could potentially be used by hackers to steal data without being traced. 

The flaw – which is said to have affected two-thirds of websites that use OpenSSL as well as routers and networking gear from Cisco and Juniper Networks, introduced in early 2012 can be rectified as soon as web servers upgrade to a newer version of the open source software – such as 1.0.1g. Alternatively, should this not fix the problem, web developers are being urged to recompile applications to turn off the Heartbeat extension, while users of some web services have been recommended to change passwords.