The Internet is compromised

A diagnosis after a tragic year of revelations on global surveillance

The number of revelations is becoming substantial, to the point of being difficult to keep track of them.
After the initial excitement, astonishment and outrage as reactions to the publications, we need to sit back and evaluate what we have just learned in order to deeply understand what really are the political, social and technical implications of the spying programs that are being disclosed.

Among the numerous publications, a number of leaked documents paint a particularly dramatic picture for the integrity and reliability of the Internet.

The Architecture

The Internet isn’t anything else than a network of computers connected to each other, an intricate web that each node traverses in order to contact and communicate with another node that sits somewhere else, far away.

It’s not an immediate communication, you rely on a set of other computers to transport your message from your home to across the street, across the country and across the ocean.
For example as you’re reading this article, you probably had to transit through at least ten or fifteen different nodes — or hops — before getting to the destination.
Many things could go wrong while the message is on its journey, we just trust that it’s delivered correctly.

Knowing that while connecting to any given website or service on the Internet you’ll have to pass through an undetermined amount of computers you don’t control, would you blindly trust the bunch of strangers operating all those computers to take good care of your private data?

You probably should not, but the bad news is that those strangers are far from being the most concerning threat to your privacy.

Mass Surveillance

As the very first revelation from the Snowden documents, PRISM came like a bolt from the blue and generated an international outcry for privacy violations that soon translated into a heated debate about the legitimacy of NSA’s spying activities as more secret programs followed in the publications.

PRISM already made its way in popular culture and helped bring to the attention of the general public that established Internet giants like Google, Facebook and Skype aren’t to be trusted blindly, as they ultimately have to respond to the control powers of the American government.
However PRISM was just the beginning and despite the apparent gradual disengagement of the public over the months, many revelations that followed uncovered way more worrisome attempts of the NSA and its partners to massively spy on the Internet.

In order to record an ongoing Internet communication, the NSA has to effectively sit on a node between the source and the destination.
Consequently the NSA and GCHQ necessarily have to either be operating the node themselves, coerce the owner to cooperate or otherwise obtain illegal access by exploiting and hijacking the node.

In the case of the program TEMPORA for example, GCHQ managed to collect massive amounts of everyone’s personal data by wiretapping the oceanic fiber-optic cables that make the Internet’s backbone, likely through the cooperation or the silent consent of the companies operating them.

One of the most alarming programs revealed so far is called XKEYSCORE, which probably represents the main mass collection infrastructure at NSA’s disposal.
By obtaining control, in a way or another, of critical nodes across the Internet, the NSA has been able over the years to establish a vast network of passive sensors that continuously and silently collect all communications transiting through them.
Through XKEYSCORE, NSA analysts are able to search for virtually anything transiting across the Internet, from a specific email address or phone number, to everyone matching a certain behavior, for example by looking for “someone searching the web for suspicious stuff” as suggested in a leaked classified slide.

Slide showing collection nodes of the massive interception program XKEYSCORE.

Keeping control of the Internet backbone outside of Five Eyes’ jurisdiction is not an easy task, and it’s therefore reasonable to believe that this vast network might also be composed of hacked nodes and servers.

NSA document detailing a backdoor for Cisco PIX/ASA firewalls. (Der Spiegel)

As a matter of fact Der Spiegel revealed that the NSA has been secretly building capabilities to obtain control of popular devices typically used to run critical choke-points across the Internet, including Cisco PIX/ASA firewalls, Juniper firewalls, Huawei routers and Dell servers.

It gets worse.

Targeted Surveillance

As encryption rises in popularity, traditional wiretapping is not enough and more commonly law enforcement and intelligence agencies recur to breaking directly into computers.
We observed this already over the last couple of years, but the NSA brought it to an unprecedented global scale.

The NSA and GCHQ have concretely sabotaged the Internet, subverted its own architecture and turned its backbone into a global computer intrusion framework, powered by a set of clandestine programs identified as QUANTUM.

As explained in one of the leaked slides, NSA’s collection of sensors like XKEYSCORE is also actively used in conjunction with a set of secret programs called TURBULENCE.
TURBULENCE mainly consists of two systems, TURMOIL and TURBINE, which are respectively responsible for identifying potential persons of interest and to consequently hijack their computers in order to take control of them.

In particular TURMOIL is described as “high-speed passive collection systems [to] intercept target satellite, microwave and cable communications as they transit the globe” and is colorfully depicted in the picture below.

Slide from a presentation detailing TURMOIL infrastructure. (Der Spiegel)

Concretely TURMOIL is a distributed collection of systems that are able to intercept, dissect and identify traffic matching a provided list of rules. In technical jargon, TURMOIL could be compared to a Deep Packet Inspection system, which is commonly used in corporate environments to analyze transiting traffic and identify anomalies such as viruses or non-compliant activities like users visiting forbidden websites.

Whenever a certain rule is matched, TURBINE will then be actioned, which according to what the NSA defines as “mission logic” will then initiate an attack sequence.

Through the combination of these components, NSA and GCHQ are systematically able to intercept virtually any Internet communication and hijack it, but what constitutes a target?
Potentially the NSA and GCHQ could be able to target just about anyone, however they are able to profile a person of interest through one or more “selectors”, which are identifiers applied to a number of available domains of research called “realms”.
Such selectors can be an email address, an account name or a browser cookie, while a realm could be an Internet service like Facebook or Twitter.

Slide detailing the selection realms available to the NSA through the QUANTUM programs. (Der Spiegel)

Interestingly GCHQ is able to provide additional realms of selection, probably due to an extended granularity in their interception gear or because of the popularity of certain services in particular geographical areas the British intelligence might have more easily access to.

In order to facilitate this selection process, the NSA runs a convenient web application called MARINA, used by NSA analysts to instruct the QUANTUM infrastructure to look out for certain selectors and collect all available information on the selected profile, including exchanged messages, forward and reverse contacts, logins and passwords.

Slide showing how to find and select QUANTUM targets through MARINA. (Der Spiegel)

When applicable, NSA analysts are then able to task the selected profile for QUANTUMTHEORY or QUANTUMNATION attacks, which will ultimately result in the target’s device being backdoored respectively with VALIDATOR or with SEASONEDMOTH, which are code names of two spyware implants part of the NSA’s arsenal.

Slide detailing how to task targets for QUANTUMNATION attacks. (Der Spiegel)

In any case, both QUANTUMTHEORY and QUANTUMNATION tasks will rely on a particular network attack called QUANTUMINSERT.

Thanks to the previously mentioned network of nodes distributed across the Internet, in many cases the NSA is able to observe a connection before it is even completed.

For example, let’s pretend you are in Germany and you’re connecting to a Yahoo server in Virginia.
If NSA controls an Internet node in the Netherlands that you’re traversing, they will not only be able to see your attempted connection to Yahoo, but they will also be able to defeat the so called “speed of light problem” and send back to you a reply that appears to be coming from Yahoo while in reality it’s not, way before Yahoo would even be able to.
At this point your browser instead of opening the original Yahoo website, will be forcefully redirected to a server which will invisibly and automatically exploit and infect your computer.
Such attack servers are part of an infrastructure called FOXACID, operated by the NSA’s own group of intruders, the Tailored Access Operations unit (TAO).

This exact same process is explained in a leaked NSA slide.

A scheme of the functioning of QUANTUM attacks. (Der Spiegel)

In a similar way, another attack called QUANTUMCOPPER could allow the NSA to automatically corrupt files you’re downloading and potentially backdoor the application you’re about to install.

Fundamentally it does not matter what you do, if you’re targeted, just normally browsing the Internet will get you compromised.

This scenario is scary and outrageous.

What does this mean?

The moral of the story is that at this point the Internet has been completely and silently militarized without our knowledge. Figuratively, at every pathway of the Internet there is an hidden control point where anybody transiting is monitored and potentially harassed.

In addition, in order to successfully establish this massive amount of control over global communications, technology has been intentionally weakened and subverted and kept vulnerable, leaving all of us exposed with no possible remediation or way to challenge this status.

The Internet has always been considered the last frontier of liberty, where freedom of communication, speech and expression were still possible. This isn’t true anymore, and probably hasn’t been for a long while.

The Internet is compromised.

It has been violated by a coalition of intelligence agencies and defense contractors that have been undertaking the most aggressive offensive to Internet’s architecture ever documented, claiming to be operating in the interests of a nation while effectively exposing all the inhabitants of a space that knows no physical borders.

What can you do?

The good news is that encryption does work and it is in fact the only realistic way to prevent many of these attacks from happening.

If an Internet communication is encrypted on the wire, it is not possible to intercept and reconstruct its content and consequently it is also not possible to tamper and hijack the session and ultimately compromise you. This could concretely stop QUANTUM from being successful, or it would at least sensibly raise its cost.

This means that adopting cryptography does not only protect the confidentiality of your communications, but also helps safeguarding the security of your electronic devices.

However a single insecure session could be just enough to get you exposed, reason why it’s indispensable now to advocate for an ubiquitous adoption of encryption by service providers and initiate the cultural shift that will make it a sense of human responsibility and not a tedious compliance.

As a result of the revelations any conscious Internet user should learn basic online self-defense, however technologists and open source developers are now called to arms to turn the adoption of encryption from an act of digital resistance into the default state of Internet’s architecture.

Senior Technologist at Amnesty International

Senior Technologist at Amnesty International