Turning security flaws into cyberweapons endangers Canadians, experts warn

Apple's decision to issue emergency security updates to iPhone usersand the recent news that a hacking group apparentlystole NSA cyberweaponsand posted them onlineis prompting securityexperts to question whether the use of security flaws as weapons byintelligence agencies puts citizens in danger.

Spyware or malware that exploits previously unknownsecurity flaws, such as the three fixed by Apple,canenable a hacker totake control of a device and spy on calls and messages, turn on themicrophone and camera to eavesdrop on nearby conversations and evenmodify, delete or add information.

• Apple boosts iPhone security after Mideast spyware discovery
• Spy agencies target mobile phones, app stores to implant spyware
• SYNful Knock cyberspying malware takes over Cisco routers

While Apple and other companies have issued patches to protect users after security flaws are discovered, security experts are concerned that intelligence agencies are withholding knowledge of flaws so they can exploit them. In the meantime, those same flaws could be exploited by others, too.

The iPhone security flaws were discovered after they were used in anattempt to hack a human rights activist in the UAE and a journalist inMexico.

An investigation by Citizen Lab and mobile security firm Lookout linkedtheattackto Israel-based cyber outfit NSO Group, which sells spywareto governments.

Intelligence agencies like the NSA and Canada's Communications Security Establishment (CSE) treasure security flaws because they make it easy to hack into computers around the world to engage in espionage, or even sabotage.

The documents leaked by NSA whistleblower Edward Snowden in 2013revealed close ties between the NSA and CSE.

'Exploit it all'

At a 2011 meeting of the Five Eyes intelligence agencies, the NSAdescribed its "collection posture" as "Collect it All," "Process itAll," "Exploit it All," "Partner it All" and "Know it All," according toa slide leaked by Snowden.

"Five Eyes work in lockstep on all of this," said security expert BruceSchneier, a fellow at the Berkman-Klein Center at Harvard University, referring to the partnership involving the security agencies ofthe U.S., U.K., Canada, Australia and New Zealand.

"The Snowden docs demonstrate that CSE is active in identifyingvulnerabilities," Christopher Parsons, a post-doctoral fellow at CitizenLab, told CBC.

"The fact that CSE identifies vulnerabilities and is not reporting themmeans users are not receiving patches in order tosecure their networks."

Parsons said this "creates a really dangerous scenario."

"Canadians need to have a discussion about this. Do we want to live in a world in which we're protecting our own citizens? Or should the priority of Canadian government organizations [like CSE] be first and foremost hacking foreign systems?"

Weaponized security flaws can have destructive powers, as was seen with the Stuxnet worm.

• Stuxnet nuclear sabotage malware's evolution revealed

Discovered in 2010, the joint U.S./Israeli operation usedthe cyberweapon to destroy centrifuges at Iran's Nantaz nuclearenrichment facility.

Using a browser flaw

An investigation by CBC last year revealed that CSE exploited securityflaws in one of the world's most popular browsers and planned to hackinto smartphones using links to Google and Samsung app stores.

If CSE can find a security flaw, then Russia or China or a criminalmight find the same flaw. A foreign intelligence agency could also stealthe flaws CSE decides to weaponize, Schneier said, pointing to the theftof the NSA's cyberweapons.

The NSA's weapons were posted online by a group going by the name ofShadow Brokers, ostensibly as a teaser for an "auction" of more weapons:"!!!Attention government sponsors of cyber warfare and those whoprofit from it !!!! How much you pay for enemies cyber weapons?"

The stolen weapons date from 2013, and contain numerous security flawsin popular routers.

"Russians hacked the NSA and stole security vulnerabilities and they'regoing to use them against us," Schneier said.

If the NSA the most powerful spy agency in the world can get hacked,CSE can also get hacked, critics said.

"Hoarding vulnerabilities harms our security," Schneier said, "and ifCanada is complicit in it happening, then Canada is at fault."

The Shadow Brokers leak highlights the tension between a government'sdesire to use security flaws for intelligence gathering and lawenforcement purposes and the need to fix security flaws to preventforeign spies and criminals from exploiting them.

Conflicting interests

Snowden himself chimed into the debate after the Shadow Brokers leak via Twitter.

The U.S. government has tried to balance these conflicting interestswith the Vulnerabilities Equity Process (VEP), which evaluates securityflaws discovered by the U.S. government and decides which to fix andwhich to use.

The VEP is a good start to the conversation, Parsons said, but aterrible end result from a policy perspective.

"There's widespread acknowledgment among experts that the VEP is afarce," Chris Soghoian, principaltechnologist at the American Civil LibertiesUnion in Washington, told CBC. He criticized the process for weighingtoo heavily in favour of weaponizing security flaws.

• Packrat malware targets dissidents, journalists in South America, Citizen Lab finds

"On the other hand," he added, "even though it's a farce, it's stillbetter than anything any other country has."

Canada lacks such a process.

CSE declined to comment on how it evaluates security flaws.

'Toxic' secrecy

Public Safety Canada noted in a statement that the Canadian CyberIncident Response Centre (CCIRC) "works to protect organizations fromcyber threats in part by sharing timely and accurate informationregarding vulnerabilities."

Public Safety Canada also recently announced an eight-week publicconsultation on cybersecurity that ends in mid-October.

However, there is no evidence that the CCIRC has any decision-makingrole in the CSE's evaluation process, which remains secret.

"The secrecy is toxic," Schneier said, "and [also] the fact that we areprioritizing surveillance over security."

"We are choosing insecurity," he added. "We are choosing surveillance.If we do the right things the process will work. If we do the wrongthings the process will fail."

Canadian politicians, judges, journalists and business leaders usesmartphones vulnerable to the flaws now fixed by Apple and to flawsstill unknown. The country's infrastructure is increasingly networkedand vulnerable to sabotage by a foreign intelligence agency.

In such a world, Parsons wondered, does national security mean usingsecurity flaws against potential enemies? Or disclosing and fixing them?

"We haven't had that debate in this country," he said.

• Hacking Team surveillance software firm hacked