The NSA has not only known about the Heartbleed bug for at least two years, but exploited it in regular surveillance attacks, insider sources have alleged, opting to keep the security flaw a secret because of its value to intelligence gathering. Heartbleed, which has forced companies big and small to update the security of their sites after a flaw in the SSL believed to be keeping users’ details safe, has prompted a mass change in passwords over the past week.
That flaw could have been identified and patched years ago, Bloomberg sources claim, but instead the US National Security Agency opted to keep details of the exploit to itself.
Insight on exactly how the NSA supposedly used Heartbleed is scant, with only two “familiar with the matter” piping up. However, possibilities include grabbing user passwords and other information, and thus being able to spy on web use.
The NSA has declined to comment on whether it knew about, or used, the exploit. However, debate over whether the surveillance agency was right to stockpile its backdoor access or should have stepped forward to identify it is already underway.
On the one hand, by opting to keep Heartbleed secret, the NSA has left millions of internet users – a sizable proportion of them the American citizens its mission is to protect – at risk of hacks. According to one source, the NSA’s team of over 1,000 experts spotted the bug’s potential “shortly after its introduction.”
Heartbleed was then added to the NSA’s core toolkit of data acquisition tools, it’s said.
The other side of the argument is that identifying and utilizing exploits is a key aspect of the NSA’s role, even given that role’s classification as “defense”, and that critics of the agency’s behavior are mistakenly assigning it responsibilities actually held by different government divisions.
US-CERT, for instance – the United States Computer Emergency Readiness Team – has “responding to major incidents, analyzing threats, and exchanging critical cybersecurity information with trusted partners around the world” as its remit.
Either way, Heartbleed is out in the open now, with dozens of sites announcing that they have patched the flaw over the past few days. Fixing your own internet security is also straightforward, though how many will actually change their passwords and follow the general good-practice advice remains to be seen.
Meanwhile, the coder responsible for Heartbleed has denied malicious intent, insisting instead that it was all a mistake.
Update: The NSA has denied any knowledge of Heartbleed before it was made public.