NSA May Have Exploited Heartbleed Bug For Years

The news of two truly horrible security breaches broke this year; one was the NSA’s shadowy data grabbing and surveillance program, and the other was the Heartbleed bug that left about two-thirds of the Internet utterly exposed to any bad actor. According to a Bloomberg report, these two stories have merged, as “two people familiar with the matter” have told the outlet that the NSA has known about the Heartbleed bug for at least two years and has regularly exploited it to gather intelligence.

In an emailed statement to Bloomberg, the Office of the Director of National Intelligence said, “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong.”

NSA headquarters

Frankly, it’s unlikely anyone believes that statement to be true. The NSA domestic spying scandal, which we’ve covered extensively, has proven that the U.S. government’s security apparatus will do whatever it wants to gather data on whomever it wants. Speed bumps like the FISA court made some of these activities legal, at least technically, but if it’s true that the NSA used Heartbleed to gain access to private data on web servers around the world, it amounts to outright thievery.

Worse, as we’ve said before, if the NSA is using backdoors and exploits then anyone can do the same, including your worst-nightmare cast of bad characters. That’s (possibly) what has happened with Heartbleed.

Heartbleed bug
Credit: Mark Loman

The Heartbleed bug is especially pernicious because it doesn’t require a hack per se; there’s just a coding flaw in OpenSSL that allows someone with a little know-how to access everything on a web server, and thus it’s impossible to tell if a site has been compromised. The world found out about it this week, there’s a fix available, and most websites have certainly reset their security certificates so that the bug is patched, but if that backdoor has been open for the two years that the NSA is alleged to have been walking through it, who else has been using it and to what end?

If the NSA is indeed guilty of exploiting the Heartbleed bug, it’s possibly the agency’s most egregious violation to date. The agency says it has a policy of reporting vulnerabilities like Heartbleed when they’re found, but that doesn’t mean the heads of the NSA wouldn’t decide that the offensive worth of some exploits is greater than the defensive value of helping to patch it and thus protect U.S. citizens.