After Shadow Brokers, Should the NSA Still Be Hoarding Vulnerabilities?
This weekend’s Shadow Brokers leak dropped 300Mb of stolen data onto the open web, including live exploits for some of the web’s most crucial network infrastructure, apparently stolen from the NSA in 2013. But while experts are still sorting out who stole the data and how, the new exploits have also left companies like Cisco, Fortinet, and Juniper scrambling to fix the newly published attacks against their systems. Suddenly, there was a new way into products that had been considered secure for years — and anyone who downloaded the data knew exactly how to get in.
The scramble to protect those devices is already underway, but it has raised new questions about how the NSA discovers and develops methods for breaking security products. Whoever was behind the Shadow Brokers leak had access to these exploits for three years before publishing them, allowing them to completely subvert some of the most popular network protection devices available. That’s a threat to users, companies, and anyone caught on the protected network — and whether intentional or not, it appears to be a direct result of work done by the NSA. It raises an uncomfortable question: should the NSA have told the companies about the weaknesses in their software three years ago?
Cisco "immediately conducted a thorough investigations of the files"
The vulnerabilities involved are serious ones. One group of vulnerabilities targets Cisco’s Adaptive Security Appliances, a network firewall appliance often used to protect large data centers. The exploits allow attackers to break through the firewall without a username and password, masquerading as SNMP data. Another attack triggered remote code execution in Fortinet’s FortiGate firewalls by exploiting a flaw in the onboard cookie parser buffer.
It’s genuinely unclear whether the NSA was aware those exploits had been compromised. Metadata in the Shadow Brokers indicate the hack most likely occurred in 2013, but there’s been significant disagreement over whether the likely culprit was foreign intelligence bureaus or an insider threat — and whether the agency was aware the theft had occurred.
But if the NSA was aware the exploits had fallen into the wrong hands, the decision not to report the attacks may well have caused significant compromises in the intervening years. Whoever leaked the exploits appears to have had sustained access to them for the past three years, and if the culprits were truly Russian intelligence, they would have had ample reason to use the exploits. The result would be far more damaging than bugs like Heartbleed or Shellshock, which were both patched just a few days after being discovered.
This is basically a question of whether the Vulnerability Equities Process is merely very broken, or unbelievably broken.— matt blaze (@mattblaze) August 18, 2016
The Shadow Brokers dump has resulted in a scrambling cleanup operation for all the companies affected by the breach. In a statement, Cisco reps said the company "immediately conducted a thorough investigations of the files," identifying the two vulnerabilities and issuing security advisories on Wednesday. Fortinet issued a corresponding patch on the same day. Juniper has yet to comment on its appearance in the leaks, fueling speculation that the company may have cooperated with intelligence agencies in subverting its own products. (Fortinet and Juniper did not respond to a request for comment.)
In each case, the result is a very bad week for each company and its customers, pain that could have been avoided if the vulnerabilities had been disclosed back in 2013. For critics, that’s a sign that the government isn’t taking collateral damage into account. "When the NSA screws up, it’s US technology companies that have to bear the reputational costs," says ACLU Chief Technologist Chris Soghoian, a longtime advocate for more aggressive disclosure requirements. "The NSA gets to avoid all of the unpleasantness associated with its mistakes."
"The NSA gets to avoid all of the unpleasantness associated with its mistakes."
Decisions on how and when to disclose vulnerabilities discovered by US government agencies are dictated by the Vulnerabilities Equities Process, a complex policy directive set by the president. It’s still largely secret, despite the EFF’s best efforts, but the broad principle is to balance the potential damage of a vulnerability against its usefulness to intelligence agencies. Still, it’s unclear when a vulnerability triggers that examination, and it’s difficult to say whether any of the vulnerabilities dropped by the Shadow Brokers ever went through the process.
It’s still a controversial system, drawing criticism from civil liberties groups for not disclosing enough while many in the intelligence community see it as burning valuable exploits without improving overall vendor security.
For Soghoian, the issue is the makeup of the group itself, which is largely composed of intelligence, military, and law enforcement representatives without including groups like the FTC, Department of Commerce, or National Institutes of Standards and Technology, which might be more attuned to the damage the exploits can do once released. "If they’re not in the room, then the VEP is never going to get anywhere," Soghoian says. "They need to have an equal voice."
In the meantime, Cisco, Fortinet, and Juniper are left defending both their products and their reputations. Now that the patches have been deployed, the hardest work is over, but the longterm outlook is less clear. "Every time the NSA screws up, they make the US tech industry look bad," Soghoian says. "The world relies on US software and hardware, and if we want that to continue, then maybe the cost of that is that the NSA has to hold back a bit."