It's long been the conventional wisdom that if the NSA is after you, there's pretty much no stopping it from getting inside your computer. The agency's dedicated hacking unit, Tailored Access Operations, has all kinds of ways to take over your devices, steal your data, and monitor you through your webcam or microphone—assuming you're interesting enough to target. But according to new documents obtained from Edward Snowden and published by Glenn Greenwald and Future Tense alumnus Ryan Gallagher at the Intercept, the NSA and its British counterpart GCHQ have been automating these targeted operations, allowing for “industrial scale exploitation” that can potentially infect “millions” of machines with malware.
The documents show that the automated system, codenamed TURBINE, has allowed the number of active malware “implants” to increase dramatically—from about 100 to 150 infected machines in 2004 to tens of thousands over the next six to eight years—and is intended to “aggressively scale” into the millions by infecting in “groups rather than individually.”
Intelligence agencies have various ways of delivering spyware implants, from man-in-the-middle attacks to the much less frequently successful method of tricking users into downloading malicious attachments from emails. On the extreme end of the spectrum, the NSA's previously disclosed QUANTUM system allows the agency to masquerade as popular websites like Google and Facebook, returning a Web browser's request with malicious packets before the legitimate server has a chance to respond.
Perhaps most alarming, however, is how TURBINE's expansion seems to piggyback on the massive amounts of data that advertising networks collect from Web users. One slide from a classified presentation shows how targets are identified using “selectors” including Google preference IDs, Yahoo cookies, and the unique identifiers captured by DoubleClick for ad-targeting purposes. Google's tracking cookies can also reveal things like Web browsing habits, making it possible for TURBINE to pick out groups of people for infection. The NSA wouldn't comment on the system but reassured the Intercept that “signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purposes.”
The ability to automate and increase the number of targets is good news for spy agencies, because it maximizes the usefulness of the security flaws they use to penetrate machines. Such exploits all come with expiration dates, and the more often and carelessly they're used, the less time it takes until they are detected and patched. (Last year, Reuters reported that the United States is now the top buyer of “zero-0day” exploits—critical flaws in software that are unknown to its developers.) With the automated system, however, those exploits become much more agile. TURBINE and QUANTUM can scan for certain selectors—like ad-targeting IDs or people visiting certain websites—select a suitable exploit, and automatically “shoot” it to intended targets.
This revelation suggests that the NSA's tailored-access platform is becoming a bit more like the un-targeted dragnets everyone has been so upset about: stuff like the mass-collection of phone metadata, and the tapping of undersea Internet cables, which allows the agency to filter through raw communications for keywords.
Of course, the question is whether having the capability to “target” people en-masse means that the NSA and GCHQ will necessarily do so. But based on what we know so far from the Snowden files, it's hard to imagine what would stop them.