Online encryption cracked by US and UK security services

Photograph by Jeroen Bennink

The NSA and GCHQ have reportedly cracked a number of technologies used on the internet to encrypt communications used in online banking, email, and storing medical records.

The information comes from disclosures by whistle-blower Edward Snowden, with pieces published jointly by the Guardian, New York Times, and ProPublica.

The NSA is described as spending $250 million (£160 million) per year on this covert project, codenamed “Bullrun” after a battle in the US Civil War, with the British counterpart from GCHQ called “Edgehill”, named after a battle in the English Civil War a couple of centuries earlier.

Bullrun utilize a mixture of hacking, with supercomputers used to “brute-force” crack passwords when needed, along with covert deals with technology and security companies to build backdoors into tools and software sold as secure to businesses and consumers around the world. These deals are found through a mixture of payments and persuasion through court orders, but the documents from Snowden do not reveal the names of the companies involved.

The NSA even managed to become the sole editor for a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006 so that they would be able to crack the technology.

Edgehill also utilizes hacking, with supercomputers again used to crack passwords people believed to be secure, with research focused on hacking the email/messaging services of the “big” – Hotmail, Google, Yahoo, and Facebook. GCHQ has direct access to the data flowing through some transatlantic fibre-optic cables, through which much of the web’s traffic flows from around the world, with its Tempura programme. This means that decryption is of particular interest to the British intelligence agency, as more of this data has become encrypted in recent years as customers push for their data to be secure from prying eyes.

The leaks show that the NSA is looking to have access to a similarly large flow of information, possibly through direct access to another undersea transatlantic cable, at some point later this year, possibly through covert cooperation with a technology provider.

The budget of the Bullrun project dwarfs that of the Prism programme which made headlines recently, and with the security services cracking the tools needed for secure transmission online and even building in backdoors they are breaking the trust which underpins the web. Billions of people use the internet each day, and trust that their personal information from medical records, to banking details, or just personal messages between loved ones, are not compromised. If the security services have a backdoor, the technologies are not secure, and it is only a matter of time before others find these holes and exploit them for their own purposes.