Sunday Times 2
Don’t trust your phone, don’t trust your laptop
Back in July 2013, a few weeks after Edward Snowden’s revelations about internet and mobile-phone surveillance began, I wrote a column that began: “Repeat after me: Edward Snowden is not the story. The story is what he has revealed about the hidden wiring of our networked world.”
The spur for the column was my realisation of the extent and astuteness of Snowden’s choice of what to collect and reveal. His was not some opportunistic smash-and-grab data heist, but a considered, informed selection of cases where he thought that the National Security Agency was violating the US constitution and/or circumventing its laws. Snowden was clearly no stereotypical left-wing dissident; he seemed closer to what US constitutional lawyers called an “originalist” – someone who regards the constitution as a sacred, inviolable document that citizens – and their governments – must continue to respect and adhere to. If Snowden were in the US today, I suspect he would be a supporter of Rand Paul.
What Snowden did was careful and considered: he identified examples of what he regarded were unconstitutional activities on the part of the NSA and then downloaded documentary evidence of these activities that would corroborate his judgment. Given the staggering scale of the activities revealed, I remember thinking that it would take us a long time to realise the full extent of the surveillance mesh in which we are entangled. So it has proved.
But a few recent revelations suggest that we may now be getting down to bedrock. Two concern the consummate hacking capabilities of the NSA and its overseas franchises. The first – which came not from Snowden but from Kaspersky, a computer security firm — showed that for at least 14 years a unit in the NSA had succeeded in infecting the firmware that controls hard disk drives with malicious software that is able to persist even through reformatting of the disks.
Firmware is computer code embedded in a read-only silicon chip. It’s what transforms a disk from a paperweight into a storage device. The hack is significant: the Kaspersky researchers who uncovered this said its ability to subvert hard-drive firmware “surpasses anything else” they had ever seen. Being able to compromise firmware gives an attacker total control of the system in a way that is stealthy and lasting, even through software updates. Which means that the unsuspecting victim can never get rid of it. If you think this has nothing to do with you, the compromised drives were manufactured by most of the leading companies in the disk-drive business, including Western Digital, Seagate, Toshiba, IBM, Micron and Samsung. Check your laptop specifications to see which one of these companies made the drive.
The second revelation, last month, came from a GCHQ presentation provided by Snowden and reported in online publication the Intercept. Documents showed that a joint NSA/GCHQ team had hacked into the internal computer network of Gemalto, the world’s largest manufacturer of sim cards, stealing, in the process, encryption keys used to protect the privacy of mobile communications internationally.
Gemalto makes the chips used in mobile phones and credit cards and numbers among its customers AT&T, T-Mobile, Verizon, Sprint and 450 other mobile network providers. It currently produces 2bn sim cards a year. If the attempted breach were successful, it would give security agencies the potential to monitor covertly the mobile phone communications of a large portion of the world’s population. Gemalto has conducted an investigation which concludes that there are “reasonable grounds to believe that an operation by NSA and GCHQ probably happened”, but that the attack “only breached… office networks and could not have resulted in a massive theft of sim encryption keys”. And even if the intruders had stolen encryption keys, the company claims that “the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack.”
Oh yeah? The implication of these latest revelations is stark: the capabilities and ambitions of the intelligence services mean that no electronic communications device can now be regarded as trustworthy. It’s not only your mobile phone that might betray you: your hard disk could harbour a snake in the grass, too.No wonder Andy Grove, the former boss of Intel, used to say that “only the paranoid survive” in the technology business. Given that we have become totally dependent on his industry’s products, that knowledge may not provide much consolation. But we now know where we stand. And we have Edward Snowden to thank for that.
© 2015 Guardian News and Media Limited