Shadow Equations: Where IT Security Fails
Adrian McCullagh & John Flood
Everyone now lives on the internet and security is paramount except we seem so bad at providing it. Businesses and governments receive thousands of cyber-attacks a day from countries like China. In the wake of infiltrations into Austrade and the Australian Defence Department’s networks, the prime minister’s cyber security adviser, has admitted the Australian government is attacked on a daily basis. It was even thought the failure of the Australian online census was due to a denial of service cyber-attack, which helped foment nationwide privacy scares.
The story we tell here indicates that we are at a tipping point in cybersecurity. Our online ecosystem is becoming so complex as more and more devices are connected to the internet. Estimates suggest internet enabled devices will be close to 50 billion devices by 2020. They will be spread across multiple industry sectors including health, transport, power generation and will be placed in common consumer products like fridges, air conditioners and washing machines. It is anticipated that all of these devices will autonomously and remotely communicate with each other as well their manufacturers in order to improve the living standards in modern society. But not all is safe in this utopian expansion.
Recently a hacker group known as the ‘Shadow Brokers’ published on a particular open web site a sample of source code of particular malware (MALicious softWARE) claiming that the malware had been downloaded from an organisation known as ‘Equation Group’. The published malware has since been taken down and removed by the website. Equation Group was identified in early 2015 as being a commercial hacking group comprising some of the best hackers existing globally and that this group is closely aligned to the National Security Agency (NSA). It is suspected to be associated with 500 infections in 42 countries. It begs the question that if Equation Group is as talented as their reputation suggests then how did the Shadow Brokers get hold of such valuable information. Alternatively, it shows that implementing IT security is extremely hard otherwise the hackers would not have succeeded. Even the best are vulnerable.
The Equation Group’s particular expertise was in understanding the security vulnerabilities of internet connected devices through their firmware. Firmware is software that is embedded in hardware devices so they operate efficiently and usually with very limited functionality. Over time firmware needs updates or enhancements, which are usually done remotely by device manufacturers. Mark Shuttleworth, founder of Ubuntu, describes all firmware as a ‘cesspool of insecurity’.
The NSA was established shortly after World War II by US President Truman and for many years its existence was officially denied. In the late 1970s the NSA was officially recognised and is now the world’s largest employer of mathematicians who work on designing IT security frameworks and testing and identifying vulnerabilities in existing IT products. For example, the STUXNET malware, created to disrupt Iranian centrifuges used to enrich uranium, has been widely suspected to have been designed by the NSA or by an organisation closely affiliated to it.
Shadow Brokers’ acquisition of NSA designed malware is being taken very seriously by organisations which form parts of society’s critical infrastructure. These include banks, electricity generation and distribution providers, hospitals, oil and gas distributors, government agencies as well as others — basically any sector which society has become dependent upon for its present quality of life.
The Shadow Brokers announcement contained two elements. The first was to establish credibility that they actually possessed the relevant malware. They did this by publishing a small sample of the acquired malware so that it could be verified by experts in the IT security field. The second element is auctioning off the remainder of the malware to the highest bidder. This remainder is expected to be substantial.
To avoid apprehension, the Shadow Brokers are demanding payment in bitcoin. Bitcoin is a pseudo-anonymous virtual currency which is capable of being transferred without the need of any trusted third party. The current price of a bitcoin is just under US$600 and shadow brokers are demanding one million bitcoins or approximately US$600,000,000. This is an audacious exercise by the people behind Shadow Brokers. The expert evaluation to date has been that the published malware is authentic and as such the Shadow Brokers’ hack is being taken very seriously.
Now, it is unlikely that any criminal group will have sufficient funds to pay such an exorbitant amount on its own and, in addition, it will require substantial resources and expertise to understand the malware and how to take advantage of it. Only a limited number of potential buyers might actually exist. If there is a buyer, then it is likely to be a government that wants to cause havoc in other jurisdictions.
Since firmware is such a ‘cesspool of insecurity’ what is being done to secure the 50 billion devices that will be attached to the Internet of Things? At the moment, very little. One way to better protect all firmware is for all updates to be digitally signed by the manufacturer and for every device to have embedded in it in a trusted encrypted section that recognises the signature. Hence, before any updates or enhancements to firmware are installed the update must be verified as coming from the relevant manufacturer. This is not fool-proof but it substantially reduces vulnerability to malware. It is time to take security seriously before the electronic horse has bolted.
Adrian McCullagh BSc (computer Science), LLB (law), PhD (digital signatures) QUT is an Adjunct Research Fellow of the Law Futures Centre at Griffith University, Queensland, Australia and principal of ODMOB Lawyers
John Flood LLB-LSE, LLM-Warwick, LLM-Yale, PhD (sociology)-Northwestern is Professor and Director of the Law Futures Centre at Griffith University, Queensland, Australia