Even More Alarming Security Threats

Alarming security threats - hard drives, SIMs, and Lenovo malware

The latest threats to your security come from the good guys. They’re completely out of control. Give up any lingering dream of having any privacy. We depend on technology, and our technology is firmly in the grip of governments and advertisers watching our every move.

Really, this last week has been over the top. Malware that bypasses every known protection for hard drives; millions of smartphones compromised by hacked SIM cards; and spyware distributed accidentally by Lenovo that opens a gaping security hole.

There’s no advice at the end of this article. Don’t look at the bottom for suggestions about how to protect yourself. This is the kind of week that just makes you shake your head and wonder if we’re already doomed.

The NSA subverts hard drives

Kaspersky researchers uncovered a hacking module that subverts hard drive firmware, meaning it operates at a level that is 100% invisible to the computer’s operating system, as well as being unaffected by anything done to the hard drive – formatting it or deleting the partitions on it, for example. If a hard drive is encrypted, the malware runs at such a low level that it can grab data before it is encrypted, or get the encryption password so the entire drive can be unlocked. The hacking tool can create invisible space on the hard drive to hide data so it can be retrieved later.

The firmware-hacking module is believed to have been created by the NSA. As far as anyone knows, it has only been used on very specific high value computers. Kaspersky claims to have personally observed 500 instances but suggests that many more infections might be out there. The malware is so deeply hidden that it was only luck that led Kaspersky researchers to it now. They believe it has actually been operating for fifteen years.

Here’s a summary of the initial disclosure by Kaspersky, and here’s a more in-depth explanation of how the malware works.

It’s obvious but it deserves to be said: The NSA and other Western intelligence agencies have proven that they want to monitor all data and communications – yours, mine, the good guys, the bad guys, domestic, global. Now we have a demonstration of technology that bypasses all known protection for computer hard drives. That’s bad news even if it has not yet been fully exploited. And even if you trust the NSA, you have to know that it is not the only organization with smart people devoting themselves to spying on hard drives. Yes, yours.

The NSA and GCHQ subvert smartphones

The latest Edward Snowden documents reveal that the NSA and Britain’s GCHQ compromised Gemalto, the world’s largest SIM card manufacturer, five years ago and stole the encryption keys used to secure the company’s SIM cards. Gemalto supplies two billion SIM cards each year to 450 carriers around the world, including Verizon, AT&T, Sprint and T-Mobile.

Encryption keys are only stored in two places: on your phone and in the wireless carriers’ data centers. It’s time-consuming and difficult for the intelligence agencies to use the legal system to compel a turnover of specific encryption keys. So the agencies hacked into Gemalto’s network, spied on employees and engineers, and intercepted keys for millions of SIM cards. With the keys, they are able to access personal data and tap into voice and data communications all over the world.

Gemalto claims to be completely gobsmacked by the news. It could be telling the truth; in the last couple of years, we’ve learned all too well how eager the NSA is to spy on communications without the knowledge of users or mobile carriers, if possible, although it also hasn’t hesitated to demand secret cooperation from the same mobile carriers and other companies if necessary.

If the information in the leaked documents is true, then the NSA planted malware on Gemalto computers, spied on sales and engineering staff computers at cellular companies, manipulated billing servers to conceal its activity, as well as penetrating the telecom authentication servers and decrypting data and voice communications. The hack was first disclosed in an article in The Intercept, which ends:

‘The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted. “Gaining access to a database of keys is pretty much game over for cellular encryption,” says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is “bad news for phone security. Really bad news.”’

Lenovo subverts its own computers

For four months, Lenovo included a program named “Superfish” on its consumer Inspiron laptops. It appeared to be typical adware, the kind of crap that PC manufacturers have been including for years to ruin our computer experiences and make us hate new computers.

Among other things, Superfish had a technique to inject ads into web pages that were intended to be secure – the “https://” addresses with the padlock that’s intended to reassure you that you’re really at the true Bank of America website and not an impostor. The Superfish program would then monitor online browsing and send info about it back to the company HQ in Silicon Valley.

Before we get to the problem, stop there. Lenovo intentionally put a program on its new computers to display ads on web pages that don’t have ads. They didn’t do that to make you happy. They did it for money. The chances are that it was a trivially small amount of money, but it overrode any desire to give you a good experience with your computer.

If you blame Lenovo, you’re missing the point. Every manufacturer does this. Every single one. We are inundated by adware. Every device we buy comes with useless crap. Almost everything we download includes advertisements and unwanted side effects.

Superfish, though, turns out to deserve a special place in hell. It subverted the secure web pages by installing a certificate deep in the operating system, where it wouldn’t be spotted by users or antivirus software. That gave it the ability to start spying and siphoning data back to its parent company. Again, it was buried so deeply that it was discovered almost by accident.

If PC manufacturers and advertisers are willing to subvert their machines at that deep level, they can do almost anything – “steal your passwords, serve up any web page, steal your encryption keys and control your entire digital experience, undetected,” according to the New York Times.

It only took the security community a short time to realize that Superfish had chosen a colossally stupid way to inject ads, one that could be easily subverted by bad guys and used for much more evil ends than sending some advertising data back to a Silicon Valley company. Of course, that would require that the bad guys crack the password used on that deeply hidden certificate. Which turned out to be a single easy-to-discover and easily-guessed word because, well, did I mention that the Superfish folks are colossally stupid?

Lenovo’s security team took about 24 hours to realize that (1) they had completely missed the risk that Superfish created, (2) it was really, really bad, and (3) Lenovo was facing a PR nightmare that could sink the entire company if they didn’t start acting smart fast. They looked pretty clueless for those 24 hours but since then they’ve been falling all over themselves to apologize, mea culpa, sorry, never do it again, we promise that we’re reorganizing the entire company to make sure nothing like this ever goes through, etc., etc. Microsoft was first out with an update to Security Essentials/Windows Defender that automatically removed Superfish. Since then the other antivirus companies have followed suit and Lenovo has released a tool to uninstall it.

Again, this only affected some consumer Inspiron Lenovo laptops sold for a few months at the end of 2014. You don’t need to worry specifically about Superfish if you don’t have one of those. But you need to worry very much about the general trend that it reflects, which is that absolutely anything will be used as a mechanism to display ads to you, regardless of whether that is a detriment to your use or enjoyment of something, and even if it puts you at personal risk.

I would tell you to be careful out there but that doesn’t make much difference, does it?