For those who thought they could protect themselves from cyber-spying by disconnecting from the Internet — forget it. According to The New York Times, technology exists that allows spy agencies, like the NSA (National Security Agency), to reach a computer or entire network that has no connection to the Internet.
The report, which questions many of the basic assumptions people have about cyber-security – after all, if you’re not on-line, you shouldn’t be vulnerable to outsiders sucking data out of your computer – comes as a shock to a generation trained to think of cyber-defense as proper deployment of firewalls and anti-virus software. But the technology to do this isn’t new, according to Israeli security expert Shai Rod. “The way the NSA connects to a computer that is not online is novel, but there are all sorts of ways to do this,” Rod told The Times of Israel. “The question is, how secure are computers from the kind of physical access needed to implant the devices that would be used to do the spying?”
The Times report detailed the efforts of the NSA to “invade” computers in countries around the world, with numerous programs and technologies to reach behind firewalls and other cyber-defenses. But beyond the agency’s prowess in online prying, the article detailed its use of radio frequency technology (presumably similar to that of a cellphone network). Using tiny transceivers implanted in innocuous-looking devices like USB cables, the NSA, according to the report, implanted malware in target computers all over the world, gathering data and transmitting it wirelessly to a nearby “field station,” a larger and better connected transceiver that can communicate with a central server – where the data can be analyzed, scrutinized, investigated, and otherwise “sliced and diced.”
It’s a story worthy of a spy novel — and, like in a spy novel, an agent is necessary in order to pull it off, said Rod, an Israeli security consultant who works with companies like Google, Paypal, and many others on finding security flaws in their systems, and helping to fix them.
“If someone can get to the computer or server, they can install all sorts of equipment that can do something like this,” Rod said. “Already several years ago there were keyloggers” — devices that record keystrokes, which can then be reconstructed to determine passwords – “that had wifi technology built in, allowing someone to get the keylogger data without having to be present.” The “agent” could be a phone repair person, copy machine technician, or even someone from inside a company who had been “turned,” he said.
Because the problem has been around for years, solutions have been developed. “There are all sorts of locks you can buy for different ports and components of a machine to ensure that it cannot be tampered with,” said Rod. Besides locks, there are alarms, sensors, and other devices that can let a system administrator or other concerned individual know whether or not their system has been tampered with.
The problem, of course, is implementation; just like many people and businesses are lax when it comes to on-line security protection – for example, failing to update their anti-virus programs on a regular basis – they are even more lax when it comes to physical protection of their system. “I imagine that in the wake of this story, the market for physical protection devices will grow,” said Rod, with companies taking greater efforts to secure their hardware.
That market could be large, said Rod. “I have worked with many large companies and government offices, and I have seen only a very few that secure their servers physically.” The achilles heel in these organizations, he said, was with the workers. “Very few organizations secure employee workstations,” and a savvy and determined spy could easily use of one those workstations to get access to the network. “The bigger and more mission-critical the organization, the more attention they are likely to pay to this, but a lot of work is needed,” Rod added.
But even more worrisome is what goes into the equipment itself. “One of the biggest security problems today is figuring out how secure components are,” said Rod. “You may buy a network card or component that is from a company in the UK, and you assume it is made in the UK – but it could have been manufactured elsewhere, where the security level is less secure. It could already have radio communication equipment installed.”
That “elsewhere,” of course, is China, which manufactures much of the world’s computer and networking equipment. Who’s to say, asked Rod, that the government there won’t order a company to insert a spyware component on a motherboard, communication chip, or networking component? In fact, according to the Times, computer servers from at least one Chinese manufacturer, Huawei, have been banned in the U.S. because of fears that “they could contain technology to penetrate American networks,” the report said.
For Israel, the issues are similar, said Rod. “The IDF is reportedly upgrading its cellphones and communications equipment, and is even considering manufacturing its own devices, for just this reason,” said Rod. Cellphones, tablets, and dozens of other devices that have communication capabilities could easily contain a chip that would connect with a not-so-friendly country’s servers.
Of course, that same concern would go for equipment made in the U.S. — the NSA, after all, is an American government agency, and given the close defense relationship between Jerusalem and Washington, American-made equipment is everywhere in the IDF. That the U.S. could use that equipment to spy on Israel is certainly clear from the Times piece. “The truth is Israel, along with everyone else, is vulnerable,” said Rod. “I suppose if I had my preference as to which country I would want spying on me, it would be the U.S., as opposed to some others.”
But Israel is not just a defenseless victim in this scenario; the country’s high-tech industry makes plenty of hardware and software, and, said Rod, “who’s to say we aren’t doing it too? I remember that after our relations with Turkey soured after the Mavi Marmara affair, there was an article in the Turkish press pointing out that all of the firewalls on the government’s computers were made by Checkpoint – and the article questioned whether it was a good idea for the government to be using an Israeli security system given the relations between the two countries.” Securing the physical plant of IT systems is going to be a major issue in the coming years, said Rod, adding that solutions are being worked on, but we should get used to hearing more stories like this.”