Vault 7, Internet Security, and Your Life on Display
As an electronics hardware and software designer, I have taken keen interest in the Wikileaks disclosure of the CIA's Vault 7 hacking tools. Wikileaks has been dribbling out the details for months now, showing us what the CIA has been developing to, ahem, keep us safe from the bad guys. When I talk with fellow engineers about the possibility that the feds are sucking up every bit of data they can get their packet sniffers on, we all agree it is happening, to an unknown extent. How amazing to now get an actual peek behind the overpriced GSA-schedule gray curtain.
These disclosures are disturbing in multiple ways, for example, that our tax dollars are funding the federal government's hacking of free citizens' lives, all under the premise that they are only targeting criminals and spies. Most commentators find this the greatest outrage.
The most disturbing fact to me, as a tech insider and developer, is that the Swiss cheese computing tools we use today are way more hole than cheese. Vault 7 is evidence of this. There are exploits in Vault 7 for nearly every modern computing platform, operating system, and communications method. Everything connected to the Internet is broken. Everything. Including the device on which you are reading this article.
Stepping back a few paces, we have to ask: twenty-five years into this Internet revolution, why are we still plagued with these vulnerabilities? Microsoft releases patches for their operating system on a regular basis. Can't they get that junk fixed permanently? Apple hires the best engineers planet-wide, and still their OS has holes? Cell phones can be spoofed by stingrays, and there's no way to fix them to authenticate real cell towers? Verizon can update my phone without my permission while we sleep, but not fix this hideous flaw?
There are three reasons for the continuation of the vulnerability plague:
1) The government depends on these vulnerabilities to, ahem, keep us safe, and they discourage private industry from implementing high-level security. With a turned head and blind eye, few big players are in any hurry to totally lock down any major computing product, for fear of being chided by law enforcement, as happened to Apple when they encrypted all iPhone contents by default. Companies walk a thin line between pleasing the government and their customers, and back doors have been found in real products. Products containing encryption technology are regulated by the federal government, and penalties are possible for mishandling such tech.
2) There is a large market for cybersecurity tools and services. An article in Forbes estimated that the 2020 market would be $170 billion. How would that market shrink if Microsoft Windows all of a sudden became bulletproof? Who's up for an investigation of corporate cross-pollination between vulnerability makers and vulnerability takers? This is similar to the political argument on abortion, where every time the word is mentioned on television both Democrats and Republicans rake in the cash.
3) You probably guessed the first two reasons, but here's one you may not have considered. The vulnerability plague continues because legacy technology and economic realities prevent a cure.
Legacy technology is a factor because there is 25-year-old code running in many operating systems, especially in Windows. That code was written long ago with no concern for security, meaning that it is likely vulnerable to attack. Money and geeks are needed to rewrite and replace that code, and unless 100 million users' personal information is stolen as a result, there is little motivation to spend that money. If someone does discover a vulnerability, the problem is patched as needed, as cheaply as possible.
The economic reality involves the complexity of computing today. In your hand, you hold a phone with four or more central processor units, each running at billions of operations per second, with gigabytes of memory and numerous interfaces including broadband, WiFi, Bluetooth, USB, and memory cards, to name a few. The data sheets on these processors run to a thousand or more pages. (Take a look at a 1,745 page data sheet for a simpler processor family popular in Internet of Things devices.) Each interface typically has a computing chip of its own, with attending software, with data sheets running to a thousand pages. And every interface needs something called a driver, which is a chunk of software making the hardware operate properly.
Writing such a driver typically takes several man-months, perhaps several man-years for complex devices. That's not just code-writing, but testing the driver software to be sure it meets whatever industry standards that apply, and testing it for robustness in other respects.
Look at the settings menu on your phone. Every device in that menu has a driver. Count 'em. There's a bunch. Now multiply by half a man-year apiece. That's a lot of hot pockets.
For an example of this economic reality, imagine that your small company is coming out with a new whiz-bang Internet of Things device, say, an Internet-enabled refrigerator. Your job is to write the code, the software that makes the appliance work. Of course, the fridge will have a WiFi interface for monitoring the temperature while the owner is on vacation, a USB port for uploading grocery lists and pictures of the kids, handwriting recognition on a touch screen, speech recognition, and a Bluetooth interface for your smart phone. Those interfaces represent several man-years of software development, just to write the drivers. But you have six months to complete the whole project. What's a geek to do?
Enter open source software. That's code written by others who have donated it for the world to use, under certain licensing terms. What if you could just download a WiFi driver for the chip you are using? Or download a USB driver? For free! Well, in most cases, you can.
This is not a new concept, and the entire Linux OS is built on this principle. However, with the current shrinking timelines of development, and Asian downward price pressure on all markets, programmers do not have the luxury of writing all the code in their products. Today's schedules and budgets demand that much of the code must be downloaded for free from open source software sites, such as SourceForge and GitHub. Browse those sites and check out the thousands upon thousands of software projects ready to be incorporated into the next product you buy off the shelf at Big Box, Inc.
One of my recent projects was a small tabletop instrument based on Linux. The removable memory card contained 75,000 files to boot Linux, and three (3) of mine to implement the product. My code was not simple by any means, but it fit in three files. How on earth could I test the other 75,000 files in a Linux installation to ensure that they are free of security holes? Impossible!
You see, most of the computing products you use, including your phone, are by economic necessity loaded with open source code. This is code written by just about anybody from experts to novices, combat boots to bunny slippers, tested perhaps by a few people before being released, hopefully verified as working by a larger community, but with no guarantee and no support. Serious issues can occur without anyone noticing, sometimes for years. Don't believe me? Check out the Heartbleed Bug for a breathtaking example.
I call this phenomenon the Open Source Bubble. Apologies for mixing metaphors, but eventually, the bubble will break and the whole house of cards will come crashing down. How close we are to this is anybody's guess.
For these three reasons -- that half the government's intelligence arm depends on insecure computing, the computer security market is gigantic, and securing computing by thoroughly testing all the software is economically impossible -- computing will never be secure, especially for we who are low on the food chain.
But there's more! Even if we replaced all Internet connected devices with something secure, there remains an eternal conflict between privacy and security. Government implements security by breaching the privacy of malcontents and criminals and punishing them. Free people remain free by securing their privacy, anonymity, and free speech, mostly against government. This is not a technological issue, but both sides will take advantage of technology to further their goals, even if the technology is flawless.
And yet more... Finding and exploiting all these Vault 7 vulnerabilities of course takes a large hive of overpaid government drones, and involves people in academia and the private sector as well. Vault 7 relates only to the CIA. There are numerous other government agencies doing exactly the same thing, not to mention other countries. And you are paying for all of it.
But take heart, because you are also paying for research into greater computer and Internet security! NSF, DHS, DoD, and other agencies fund private corporations and academia to do just that. For an example, see NIST. Bankers, it is said, lend money to both sides in every war, profiting handsomely. You, on the other hand, are being taxed by both sides, suffering financially! Can you feel the power?
Sorry for the pessimism, but I'm on the inside of the factory watching this sausage being made and it is not pretty. We are all living this. Many readers are also technology developers and will have in-depth comments on these issues I have only touched on, perhaps with more real-world examples. There are many more facets to this hot mess. Have at it.
Before the bubble pops and destabilizes the house of cards, what can you do to avoid these security problems? Avoid computing where possible. Use cash. Shun social media. Limit online interaction. Limit carrying a cell phone. Do not purchase Internet of Things devices. Disable GPS in your phone and car. Keep a low profile. Delete this article! And don't be a target, because it's as easy for someone to plant incriminating information on your computer as it is for them to read your mail, even seconds before that knock on your door.
Hank Wallace has been developing technology products since the 1970s.