Turning security flaws into cyberweapons endangers Canadians, experts warn
Critical software updates raise questions about intelligence agencies' hacking powers
Apple's decision to issue emergency security updates to iPhone users and the recent news that a hacking group apparently stole NSA cyberweapons and posted them online is prompting security experts to question whether the use of security flaws as weapons by intelligence agencies puts citizens in danger.
Spyware or malware that exploits previously unknown security flaws, such as the three fixed by Apple, can enable a hacker to take control of a device and spy on calls and messages, turn on the microphone and camera to eavesdrop on nearby conversations and even modify, delete or add information.
- Apple boosts iPhone security after Mideast spyware discovery
- Spy agencies target mobile phones, app stores to implant spyware
- SYNful Knock cyberspying malware takes over Cisco routers
While Apple and other companies have issued patches to protect users after security flaws are discovered, security experts are concerned that intelligence agencies are withholding knowledge of flaws so they can exploit them. In the meantime, those same flaws could be exploited by others, too.
The iPhone security flaws were discovered after they were used in an attempt to hack a human rights activist in the UAE and a journalist in Mexico.
An investigation by Citizen Lab and mobile security firm Lookout linked the attack to Israel-based cyber outfit NSO Group, which sells spyware to governments.
Intelligence agencies like the NSA and Canada's Communications Security Establishment (CSE) treasure security flaws because they make it easy to hack into computers around the world to engage in espionage, or even sabotage.
The documents leaked by NSA whistleblower Edward Snowden in 2013 revealed close ties between the NSA and CSE.
'Exploit it all'
At a 2011 meeting of the Five Eyes intelligence agencies, the NSA described its "collection posture" as "Collect it All," "Process it All," "Exploit it All," "Partner it All" and "Know it All," according to a slide leaked by Snowden.
"Five Eyes work in lockstep on all of this," said security expert Bruce Schneier, a fellow at the Berkman-Klein Center at Harvard University, referring to the partnership involving the security agencies of the U.S., U.K., Canada, Australia and New Zealand.
"The Snowden docs demonstrate that CSE is active in identifying vulnerabilities," Christopher Parsons, a post-doctoral fellow at Citizen Lab, told CBC.
"The fact that CSE identifies vulnerabilities and is not reporting them means users are not receiving patches in order to secure their networks."
Parsons said this "creates a really dangerous scenario."
"Canadians need to have a discussion about this. Do we want to live in a world in which we're protecting our own citizens? Or should the priority of Canadian government organizations [like CSE] be first and foremost hacking foreign systems?"
Weaponized security flaws can have destructive powers, as was seen with the Stuxnet worm.
Discovered in 2010, the joint U.S./Israeli operation used the cyberweapon to destroy centrifuges at Iran's Nantaz nuclear enrichment facility.
Using a browser flaw
An investigation by CBC last year revealed that CSE exploited security flaws in one of the world's most popular browsers and planned to hack into smartphones using links to Google and Samsung app stores.
If CSE can find a security flaw, then Russia or China or a criminal might find the same flaw. A foreign intelligence agency could also steal the flaws CSE decides to weaponize, Schneier said, pointing to the theft of the NSA's cyberweapons.
The NSA's weapons were posted online by a group going by the name of Shadow Brokers, ostensibly as a teaser for an "auction" of more weapons: "!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies cyber weapons?"
The stolen weapons date from 2013, and contain numerous security flaws in popular routers.
"Russians hacked the NSA and stole security vulnerabilities and they're going to use them against us," Schneier said.
If the NSA — the most powerful spy agency in the world — can get hacked, CSE can also get hacked, critics said.
"Hoarding vulnerabilities harms our security," Schneier said, "and if Canada is complicit in it happening, then Canada is at fault."
The Shadow Brokers leak highlights the tension between a government's desire to use security flaws for intelligence gathering and law enforcement purposes and the need to fix security flaws to prevent foreign spies and criminals from exploiting them.
Snowden himself chimed into the debate after the Shadow Brokers leak via Twitter.
The inevitable consequence of maintaining known vulnerabilities in US products is their discovery by enemies. <a href="https://t.co/LWw9kA8xEe">https://t.co/LWw9kA8xEe</a>—@Snowden
The U.S. government has tried to balance these conflicting interests with the Vulnerabilities Equity Process (VEP), which evaluates security flaws discovered by the U.S. government and decides which to fix and which to use.
The VEP is a good start to the conversation, Parsons said, but a terrible end result from a policy perspective.
"There's widespread acknowledgment among experts that the VEP is a farce," Chris Soghoian, principal technologist at the American Civil Liberties Union in Washington, told CBC. He criticized the process for weighing too heavily in favour of weaponizing security flaws.
"On the other hand," he added, "even though it's a farce, it's still better than anything any other country has."
Canada lacks such a process.
CSE declined to comment on how it evaluates security flaws.
Public Safety Canada noted in a statement that the Canadian Cyber Incident Response Centre (CCIRC) "works to protect organizations from cyber threats in part by sharing timely and accurate information regarding vulnerabilities."
Public Safety Canada also recently announced an eight-week public consultation on cybersecurity that ends in mid-October.
However, there is no evidence that the CCIRC has any decision-making role in the CSE's evaluation process, which remains secret.
"The secrecy is toxic," Schneier said, "and [also] the fact that we are prioritizing surveillance over security."
"We are choosing insecurity," he added. "We are choosing surveillance. If we do the right things the process will work. If we do the wrong things the process will fail."
Canadian politicians, judges, journalists and business leaders use smartphones vulnerable to the flaws now fixed by Apple — and to flaws still unknown. The country's infrastructure is increasingly networked and vulnerable to sabotage by a foreign intelligence agency.
In such a world, Parsons wondered, does national security mean using security flaws against potential enemies? Or disclosing and fixing them?
"We haven't had that debate in this country," he said.