US, UK spies reverse-engineered security software in search for flaws

The UK GCHQ has been actively trying to reverse-engineer popular security software in order find vulnerabilities that can be used to neutralize the protection the software offers to the agency’s potential targets.

“Personal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ’s CNE [computer network exploitation] capability and SRE [software reverse engineering] is essential in order to be able to exploit such software and to prevent detection of our activities,” one of the documents (from 2008) says.

According to The Intercept, which bases its reports on documents from Edward Snowden’s trove, Kaspersky Lab’s security software wasn’t the only one that the agency tried to reverse-engineer and find vulnerabilities in.

Other targeted software included commercial encryption software such as Exlade’s CrypticDisk and Acer’s eDataSecurity, online forum systems vBulletin and Invision Power Board, the popular web hosting control panel cPanel, the Postfix administration interface PostfixAdmin, software managing Cisco routers, and so on.

The documents show that the agency was aware that doing this without a warrant was illegal, and so they sought them out repeatedly, although the law on the basis on which they were granted has been interpreted so liberally that the interpretation probably wouldn’t be upheld by a court of law.

Other documents show that the US NSA has also been interested in Kaspersky Lab’s software and searched for weaknesses in it. They apparently found one: the software was transmitting user and system information to the company’s servers in unencrypted form, and the agency apparently thought of collecting this information and using it to uniquely identify devices used by Kaspersky users, in case the need for such information arose in the future.

Kaspersky Lab denies that the information can be used to identify users or companies, and that it’s sent in unencrypted form. The Intercept’s testing revealed that the device’s hardware configuration and the information about installed software is not encrypted by one of Kaspersky’s business security solutions.

Finally, the NSA and the GCHQ also intercept email communications from users to AV companies in order to get their hands on malware reports and samples.

A presentation has revealed that not only the communication with Kaspersky is intercepted, but also that with many other non-US and non-UK security companies, such as Bitdefender, F-Secure, Avast, Checkpoint, ESET, Avira, and many others.

“There is a certain logic to monitoring reports flowing into anti-virus companies. Such reports include new malware, which can potentially be re-purposed, and intelligence about hostile actors. What’s more, information about security vulnerabilities in the AV software itself can be harvested,” the reporters noted.