Senator Wyden Wants To Know If The NSA Is Still Demanding Tech Companies Build Backdoors Into Their Products

from the build-them-or-we'll-just-build-our-own dept

It's been more than a half-decade since it made headlines, but the NSA's hardware manipulation programs never went away. These programs -- exposed by the Snowden leaks -- involved the NSA compromising network hardware, either through interception of physical shipments or by the injection of malicious code.

One major manufacturer -- Cisco -- was righteously angered when leaked documents showed some of its hardware being "interdicted" by NSA personnel. It went directly to Congress to complain. The complaint changed nothing. (Cisco, however, changed its shipping processes.) But even though the furor has died down, these programs continue pretty much unhindered by Congressional oversight or public outcry.

One legislator hasn't forgotten about the NSA's hardware-focused efforts. Senator Ron Wyden is still demanding the NSA answer questions about these programs and give him details about "backdoors" in private companies' computer equipment. The DOJ and FBI may be making a lot of noise about encryption backdoor mandates, but one federal agency is doing something about it. And it has been for years.

Not only has the NSA installed its own backdoors in intercepted devices, it has been working with tech companies to develop special access options in networking equipment. This allows the agency to more easily slurp up communications and internet traffic in bulk. Senator Wyden wants answers.

The agency developed new rules for such practices after the Snowden leaks in order to reduce the chances of exposure and compromise, three former intelligence officials told Reuters. But aides to Senator Ron Wyden, a leading Democrat on the Senate Intelligence Committee, say the NSA has stonewalled on providing even the gist of the new guidelines.

“Secret encryption back doors are a threat to national security and the safety of our families – it’s only a matter of time before foreign hackers or criminals exploit them in ways that undermine American national security,” Wyden told Reuters. “The government shouldn’t have any role in planting secret back doors in encryption technology used by Americans.”

No one knows what's in the guidelines and whether they forbid the NSA from backdooring hardware or software sold to US buyers. All the NSA is willing to say is it's trying to patch things up with domestic tech vendors by, um, giving them more stuff to patch up.

The agency declined to say how it had updated its policies on obtaining special access to commercial products. NSA officials said the agency has been rebuilding trust with the private sector through such measures as offering warnings about software flaws.

This is a welcome change after years of exploit hoarding. But there's no reason to believe the NSA isn't holding useful flaws back until they've outlived their exploitability. As for the built-in backdoors, the NSA refuses to provide any details. It won't even answer to its oversight. And if it won't do that, it really needs to stop saying things about "robust oversight" every time more surveillance abuses by the agency are exposed.

There's more to this than potential domestic surveillance. Any flaw deliberately introduced in hardware and software can be exploited by anyone who discovers it, not just the agency that requested it. The threat isn't theoretical. It's already happened. In 2015, it was discovered that malicious hackers had exploited what appeared to be a built-in flaw to intercept and decrypt VPN traffic running through Juniper routers. This appeared to be a byproduct of the NSA's "Tailored Access Operations." While Juniper has never acknowledged building a backdoor for the NSA, the circumstantial evidence points in No Such Agency's direction.

[Juniper] acknowledged to security researcher Andy Isaacson in 2016 that it had installed Dual EC [Dual Elliptic Curve] as part of a “customer requirement,” according to a previously undisclosed contemporaneous message seen by Reuters. Isaacson and other researchers believe that customer was a U.S. government agency, since only the U.S. is known to have insisted on Dual EC elsewhere.

This is the danger of relying on deliberately introduced flaws to gather intelligence or obtain evidence. Broken is broken and broken tools are toys for malicious individuals, which includes state-sponsored hackers deployed by this nation's enemies. It's kind of shitty to claim you're in the national security business when you're out there asking companies to add more attack vectors to their products.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 4th amendment, backdoors, nsa, ron wyden, surveillance
Companies: cisco, juniper


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 29 Oct 2020 @ 11:43am

    Sometimes silence speaks for itself

    As the NSA would have no reason not to clearly say that they aren't trying to pressure companies to slip in security vulnerabilities, and plenty of reasons to say so as they could really use the positive PR after getting caught with their hands in all the cookie jars thanks to Snowden the fact that they refuse to answer what is really a simple question is answer enough I'd say.

    reply to this | link to this | view in chronology ]

    • icon
      Khym Chanur (profile), 30 Oct 2020 @ 2:34am

      Re: Sometimes silence speaks for itself

      I'm no fan of the NSA, but I have to disagree here. If you answer questions sometimes but refuse to answer questions other times, it lets other infer information, but if you refuse to answer any questions about anything then no one can infer information from your refusal to answer.

      reply to this | link to this | view in chronology ]

  • identicon
    matalis, 29 Oct 2020 @ 1:29pm

    silence

    yup, the NSA is wisely silent about dirty deeds --- why confess?

    "Senator Ron Wyden is still demanding the NSA answer questions about these programs" --- which means his decades of previous demands have been successfully ignored.

    Only Snowden succeeded.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Oct 2020 @ 1:29pm

    Remember: When Senator Wyden asks a question publicly, it usually means he's got a classified answer to it, and we are not going to like that answer.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Oct 2020 @ 2:23pm

      Re:

      how do you know that to be true?

      Even if a classified response is received it does not mean NSA actually answered the questions posed.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 Oct 2020 @ 2:43pm

        Re: Re:

        Not a response, frequently it's a thing Wyden already knows before he asks the question. This is how it works, historically. Maybe try reading it again.

        reply to this | link to this | view in chronology ]

  • icon
    Darkness Of Course (profile), 29 Oct 2020 @ 1:41pm

    What about front doors?

    Considering the persistent failure rate in tech is it even necessary for the NSA to ask?

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 29 Oct 2020 @ 6:41pm

    Ollie North

    They will just give the Oliver North answer...

    I do not recall, Senator.

    reply to this | link to this | view in chronology ]

  • icon
    VTEX (profile), 29 Oct 2020 @ 9:19pm

    Wyden

    Senator Wyden is the best damn member of congress, hands down. I wish more had his integrity and intelligence.

    reply to this | link to this | view in chronology ]

  • icon
    TasMot (profile), 2 Nov 2020 @ 4:59am

    Senator Wyden

    OK, he seems to have a lot of integrity and willingness to ask the hard questions. How do we make sure he keeps getting elected and doing such a great job? I, for one, hope he can stay around for a while and keep poking NSA and other to keep them straight. I don't see many other doing it.

    reply to this | link to this | view in chronology ]

  • icon
    Hoggard (profile), 5 Nov 2020 @ 1:25am

    Thanks for the information https://www.omegle.ltd/

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.