FYI.

This story is over 5 years old.

Tech

This Is a Bug the NSA May Have Used to Break Internet Encryption

Old and outdated encryption protocols are low-hanging fruit for the NSA and other spy agencies.

In Sept. of 2013, documents leaked by Edward Snowden showed that the NSA was able to break supposedly secure and encrypted communications on the internet. Late last year, more documents suggested that the NSA was able to decrypt massive amounts of traffic going through Virtual Private Networks (VPNs), a common tool used by businesses as well as individuals use to connect securely to the internet.

The documents did not reveal exactly how the spy agency was able to break the encryption in these cases. Now, thanks to new research, we might finally know. And it turns out that it was probably thanks to outdated and weak encryption technology.

Advertisement

A group of computer scientists and cryptographers has discovered a series of vulnerabilities in the Diffie-Hellman key exchange protocol, a widespread protocol used on the internet to secure connections, that can be exploited to intercept and read supposedly secure connections.

In their paper published on Wednesday, the researchers also show practical attacks, dubbed "Logjam," against this vulnerabilities. These attacks basically allows a spy agency like the NSA to force connections between users and servers to use a weaker encryption standard, which can be broken more easily.

The flaw is similar to the FREAK bug, which the same group of researcher disclosed in March. Just like FREAK, this flaw exists because of the anti-encryption policies pushed by the US and the NSA itself, in the 1990s, when the Clinton administration forced security firms to ship weaker encryption protocols to allow American intelligence and law enforcement agencies to break them when they needed to.

"There's still a lot of shitty crypto on the internet, and as long as there is shitty crypto, the NSA will be able to spy."

"There's still a lot of shitty crypto on the internet, and as long as there is shitty crypto, the NSA will be able to spy," Christopher Soghoian, the principal technologist at the American Civil Liberties Union, told Motherboard.

"The shitty crypto makes their job much easier," he added. "You don't need a backdoor when the crypto sucks."

Advertisement

Those policies are not in place anymore, but "a surprising number" of servers and websites online still accept the old, outdated protocols, the researchers found.

This discovery, according to security experts, shows once again that "backdoors" or intentional flaws in security protocols are inherently a bad idea.

The researchers themselves were able to take advantage of these vulnerabilities to intercept and break a supposedly secure connection to the FBI's tips website.

Evidence published in the Snowden documents suggest that the NSA "may already be exploiting this capability to decrypt VPN traffic," the researchers wrote in the paper.

Obviously, this is speculation as there is no way to know for sure whether the NSA knew about Logjam and was able to exploit it.

But given the NSA's investment in cryptanalysis, "I can't imagine that this is the first time they thought of it," Daniel Kahn Gillmor, a technologist at the ACLU who's been working on a fix to this vulnerability, told Motherboard.

The NSA "probably knew."

The researchers seem to have no doubts.

"They probably knew," Karthikeyan Bhargavan, one of the lead researchers who discovered the bug, told Motherboard. "There's always a slightly paranoid sense that NSA can do anything."

For Soghoian, this suggests that the NSA may be sitting on critical vulnerabilities with the goal of exploiting them. This would directly contradict the US government new policy not to stockpile unknown, "zero-day," vulnerabilities to hack targets.

The NSA did not answer to multiple requests for comment regarding the Logjam flaw, as well as whether the agency was aware of it.