Don’t Trust Your Phone,
Don’t Trust Your Laptop
Edward Snowden’s astute revelations show
that no electronic communications device –
from hard disks to sim cards – is
trustworthy
By John Naughton
March
10, 2015 "ICH"
- "The
Guardian" -
Back in
July 2013, a few weeks after
Edward Snowden’s revelations about
internet and mobile-phone surveillance
began, I wrote a column that began: “Repeat
after me: Edward Snowden is not the story.
The story is what he has revealed about the
hidden wiring of our networked world.”
The spur for the column was
my realisation of the extent and astuteness
of Snowden’s choice of what to collect and
reveal. His was not some opportunistic
smash-and-grab data heist, but a considered,
informed selection of cases where he thought
that the
National Security Agency was violating
the US constitution and/or circumventing its
laws. Snowden was clearly no stereotypical
left-wing dissident; he seemed closer to
what US constitutional lawyers called an
“originalist” – someone who regards the
constitution as a sacred, inviolable
document that citizens – and their
governments – must continue to respect and
adhere to. If Snowden were in the US today,
I suspect he would be a supporter of
Rand Paul.
What Snowden did was
careful and considered: he identified
examples of what he regarded were
unconstitutional activities on the part of
the
NSA and then downloaded documentary
evidence of these activities that would
corroborate his judgment. Given the
staggering scale of the activities revealed,
I remember thinking that it would take us a
long time to realise the full extent of the
surveillance mesh in which we are entangled.
So it has proved.
But a few recent
revelations suggest that we may now be
getting down to bedrock. Two concern the
consummate hacking capabilities of the NSA
and its overseas franchises. The first –
which came not from Snowden but from
Kaspersky, a computer security firm –
showed that for at least 14 years a unit in
the NSA had succeeded in infecting the
firmware that controls hard disk drives with
malicious software that is able to persist
even through reformatting of the disks.
Firmware is computer code
embedded in a read-only silicon chip. It’s
what transforms a disk from a paperweight
into a storage device. The hack is
significant: the Kaspersky researchers who
uncovered this said
its ability to subvert hard-drive firmware
“surpasses anything else” they had ever
seen. Being able to compromise firmware
gives an attacker total control of the
system in a way that is stealthy and
lasting, even through software updates.
Which means that the unsuspecting victim can
never get rid of it. If you think this has
nothing to do with you, the compromised
drives were manufactured by most of the
leading companies in the disk-drive
business, including Western Digital,
Seagate, Toshiba, IBM, Micron and Samsung.
Check your laptop specifications to see
which one of these companies made the drive.
The second revelation,
last month, came from a
GCHQ presentation provided by Snowden
and reported in online publication
the Intercept. Documents showed that a
joint NSA/GCHQ team had hacked into the
internal computer network of
Gemalto, the world’s largest manufacturer of
sim cards, stealing, in the process,
encryption keys used to protect the privacy
of mobile communications internationally.
Gemalto makes the chips
used in mobile phones and credit cards and
numbers among its customers AT&T, T-Mobile,
Verizon, Sprint and 450 other mobile network
providers. It currently produces 2bn sim
cards a year.
If the
attempted breach were successful, it would
give security agencies the potential to
monitor covertly the mobile phone
communications of a large portion of the
world’s population. Gemalto has conducted an
investigation which concludes that there are
“reasonable
grounds to believe that an operation by NSA
and GCHQ probably happened”, but that
the attack “only breached... office networks
and could not have resulted in a massive
theft of sim encryption keys”. And even if
the intruders had stolen encryption
keys, the company claims that “the
intelligence services would only be able to
spy on communications on second generation
2G mobile networks. 3G and 4G networks are
not vulnerable to this type of attack.”
Oh yeah? The implication
of these latest revelations is stark: the
capabilities and ambitions of the
intelligence services mean that no
electronic communications device can now be
regarded as trustworthy. It’s not only your
mobile phone that might betray you: your
hard disk could harbour a snake in the
grass, too.
No wonder Andy Grove, the
former boss of Intel, used to say that “only
the paranoid survive” in the technology
business. Given that we have become totally
dependent on his industry’s products, that
knowledge may not provide much consolation.
But we now know where we stand. And we have
Edward Snowden to thank for that.
© 2015 Guardian News
and Media Limited
See also -
The CIA Campaign to
Steal Apple’s Secrets:
RESEARCHERS WORKING with the Central
Intelligence Agency have conducted a
multi-year, sustained effort to break the
security of Apple’s iPhones and iPads,
according to top-secret documents obtained
by The Intercept.