It’s just ten days since I pointed to a Microsoft security leak as proof of my point that any iPhone master key created by Apple would inevitably fall into the wrong hands in time – and even more powerful support for that position now exists.
It was revealed last week that powerful hacking tools created by the NSA have been leaked, and are now being auctioned to the highest bidder. Christopher Soghoian, Principal Technologist with the Speech, Privacy, and Technology Project at the American Civil Liberties Union, summarised that argument in a single tweet.
Of course, claims by Russian hackers – known as the Shadow Brokers – to possess hacking tools created by the NSA shouldn’t be taken at face value, but we now have good evidence that those claims are accurate. The Shadow Brokers made available for download some of the tools, allowing security researchers to test them. Those tests have demonstrated that the tools work.
Even more persuasively, former employees of the NSA’s hacking team, Tailored Access Operations (TAO), have validated the claims, reports the Washington Post.
The file appeared to be real, according to former NSA personnel who worked in the agency’s hacking division, known as Tailored Access Operations (TAO).
“Without a doubt, they’re the keys to the kingdom,” said one former TAO employee, who spoke on the condition of anonymity to discuss sensitive internal operations. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.”
Said a second former TAO hacker who saw the file: “From what I saw, there was no doubt in my mind that it was legitimate.”
“What’s clear is that these are highly sophisticated and authentic hacking tools,” said Oren Falkowitz, chief executive of Area 1 Security and another former TAO employee.
The NSA’s TAO unit has more than 2,000 staff working on developing tools to compromise devices. Some of the tools allow those using them to penetrate firewalls and take control of network routers.
As with the Microsoft leak, it appears that the source of the NSA tools may be down to simple error rather than any malicious act.
Some former agency employees suspect that the leak was the result of a mistake by an NSA operator, rather than a successful hack by a foreign government of the agency’s infrastructure […]
It is not unprecedented for a TAO operator to accidentally upload a large file of tools to a redirector, one of the former employees said.
Whatever steps the FBI would take to protect its hacking tools, you’d expect the NSA – whose opponents are foreign governments – to put in place even stronger protections. Yet we now seem to have clear evidence that these protections cannot and have not prevented them making their way into the wrong hands. It is now utterly impossible to argue that the same would not be true had Apple agreed to create the iPhone master key the FBI demanded.