If the NSA had sweeping surveillance measures in place for all your online activity, it only makes sense that it has tried to explore every loophole and bug in the book to make it happen. But did it use Heartbleed, the bug that has thrown nearly two-thirds of the Internet in a tizzy? At least one report says so.
The National Security Agency knew about the Heartbleed flaw and reportedly used it to gather intelligence, sources have told Bloomberg. “Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost,” the report said.
A statement from the Office of the Director of National Intelligence denied that the NSA had knowledge of Heartbleed prior to 2014. This is in stark contrast to the agency’s silence on the mountain of Edward Snowden revelations that laid open its surveillance programmes around the world.
The statement also said that vulnerabilities such as Heartbleed are disclosed to the security community to avoid unnecessary damage. “This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet,” Shawn Turner, director of public affairs for the office, said. “Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.”
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.
— NSA/CSS (@NSA_PAO) April 11, 2014
Reports that NSA or any other part of the govt were aware of the so-called #Heartbleed bug before Apr 14 are wrong: http://t.co/JhqVQOMDvE
— IC on the Record (@icontherecord) April 11, 2014
If a vulnerability like Heartbleed had been used, it would have emerged from the Snowden revelations too. We already know that the NSA is hoarding spying tools and bugs that allow wanton surveillance. So Heartbleed could have been one of those which was reserved for later use or rejected due to other reasons. One line of thinking is that the NSA knew about Heartbleed but didn’t use to avoid any infringement of stringent American privacy laws, which do not allow access to data belonging to American citizens without an express court order. But the Bloomberg report mentions that Heartbleed has been adopted in some form by the NSA ever since its discovery in 2012. “It became a basic part of the agency’s toolkit for stealing account passwords and other common tasks,” the report said paraphrasing its source.
Sophos Security Senior Adviser Chet Wisniewski told BuzzFeed that if there’s one organisation capable of using an OpenSSL bug such as Heartbleed, it’s the NSA. “When they find this stuff they hold onto it as long as humanly possible because it gives them unfettered access to information.”