Did the NSA know about Heartbleed before everyone else?

HeartbleedOne of the first questions asked by many when OpenSSL’s Heartbleed vulnerability first came to light was whether or not the bug may have been put there deliberately, either by national intelligence agencies or some other malicious actor. But even if they didn’t, and it really was an accident, that leaves us to wonder whether or not the NSA or anyone discovered it first, and has been exploiting it for all this time.

There’s absolutely no evidence to suggest either scenario is true, simply because it’s impossible to know for sure (unless Ed Snowden suddenly produces some documents showing the NSA knew all along…). The identity of the programmer responsible for introducing the flaw is now known. This morning, Robin Seggelmann, of Munster in Germany, gave an exclusive interview to the Sydney Morning Herald, and comes across as being somewhat embarrassed by the whole episode.

From the SMH:

“Mr Seggelmann, of Munster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.”

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.”

“In one of the new features, unfortunately, I missed validating a variable containing a length.”

“After he submitted the code, a reviewer “apparently also didn’t notice the missing validation”, Mr Seggelmann said, “so the error made its way from the development branch into the released version.” Logs show that reviewer was Dr Stephen Henson.”

“Mr Seggelmann said the error he introduced was “quite trivial”, but acknowledged that its impact was “severe”.

Mr. Seggelmann goes onto deny that he is working for, or has any contact with, intelligence agencies, but admits that it’s “entirely possible” an entity like the NSA could have discovered the flaw before it became widely known.

Okay, but the chances of the NSA discovering Heartbleed must have been pretty slim, surely? You’d think so, but then again the bug apparently went unnoticed for two years, yet two people seem to have discovered it on the same day. There’s a great ‘behind the scenes’ story in Vocativ which describes how Codenomicon researchers found the bug, and it also states this:

“Unbeknownst to Chartier, a little-known security researcher at Google, Neel Mehta, had discovered and reported the OpenSSL bug on the same day. Considering the bug had actually existed since March 2012, the odds of the two research teams, working independently, finding and reporting the bug at the same time was highly surprising.”

That’s a huge coincidence, but it doesn’t necessarily mean anything sinister is going on. As Wired points out in its own article exploring the NSA angle, the vulnerability probably wouldn’t be that useful to the NSA anyway, considering all the other capabilities it has. Heartbleed might be a potential goldmine for hackers, but as far as intelligence gathering goes it’s not all that. The problem, from the NSA’s perspective, is the data that Heartbleed grabs is totally random – it grabs chunks of memory found within a server’s RAM – which could be anything at all. For sure it could include user names, passwords, encryption keys etc, but it’s all totally random, which, as Wired notes, makes it “very inefficient” for something like the NSA.

But just because something is inefficient, doesn’t mean they wouldn’t use it. Peter Eckersley of the Electronic Frontier Foundation came across a suspicious incident from last November, in which some kind of botnet appeared to be trying to exploit Heartbleed:

“The second log seems much more troubling. We have spoken to Ars Technica’s second source, Terrence Koeman, who reports finding some inbound packets, immediately following the setup and termination of a normal handshake, containing another Client Hello message followed by the TCP payload bytes 18 03 02 00 03 01 40 00 in ingress packet logs from November 2013. These bytes are a TLS Heartbeat with contradictory length fields, and are the same as those in the widely circulated proof-of-concept exploit.”

“Koeman’s logs had been stored on magnetic tape in a vault. The source IP addresses for the attack were and Interestingly, those two IP addresses appear to be part of a larger botnet that has been systematically attempting to record most or all of the conversations on Freenode and a number of other IRC networks. This is an activity that makes a little more sense for intelligence agencies than for commercial or lifestyle malware developers.”

This is by no means definitive evidence of an attack, but we can’t rule it out either. One thing we do know is the NSA has been running a program called Bullrun that’s designed to break SSL encryption, so it stands to reason it could’ve stumbled upon the bug. If it did so, it’s rather sad that it chose to use it to its own advantage, rather than make the exploit known and help protect the rest of us.