The National Security Agency successfully broke the encryption on a number of “high potential” virtual private networks, including those of media organization Al Jazeera, the Iraqi military and internet service organizations, and a number of airline reservation systems, according to a March 2006 NSA document.
A virtual private network, or VPN, uses an encrypted connection to enable users to go over the internet and connect to a private network, such as a corporate intranet. This allows an organization’s staff to access internal services like file-sharing servers or private wikis without having to physically be in the office.
The NSA’s ability to crack into sensitive VPNs belonging to large organizations, all the way back in 2006, raises broader questions about the security of such networks. Many consumers pay for access to VPNs in order to mask the origin of their internet traffic from the sites they visit, hide their surfing habits from their internet service providers, and to protect against eavesdroppers on public Wi-Fi networks.
The fact that the NSA spied on Al Jazeera’s communications was reported by the German newsmagazine Der Spiegel in 2013, but that reporting did not mention that the spying was accomplished through the NSA’s compromise of Al Jazeera’s VPN. During the Bush administration, high-ranking U.S. officials criticized Al Jazeera, accusing the Qatar-based news organization of having an anti-American bias, including because it broadcasted taped messages from Osama bin Laden.
“Both protocols offer a zillion configurable options, which is a source of a lot of the vulnerabilities.”
At the time, Al Jazeera defended itself against this criticism, insisting that its reporting was objective. “Osama bin Laden, like it or not, is a party to this present crisis,” news editor Ahmed Al Sheikh told the BBC in 2001. “If we said that we were not going to allow him the air time, then we would have lost our integrity and objectivity and our coverage of the story would have become unbalanced.”
According to the document, contained in the cache of materials provided by NSA whistleblower Edward Snowden, the NSA also compromised VPNs used by airline reservation systems Iran Air, “Paraguayan SABRE,” Russian airline Aeroflot, and “Russian Galileo.” Sabre and Galileo are both privately operated, centralized computer systems that facilitate travel transactions like booking airline tickets. Collectively, they are used by hundreds of airlines around the world.
In Iraq, the NSA compromised VPNs at the Ministries of Defense and the Interior; the Ministry of Defense had been established by the U.S. in 2004 after the prior iteration was dissolved. Exploitation against the ministries’ VPNs appears to have occurred at roughly the same time as a broader “all-out campaign to penetrate Iraqi networks,” described by an NSA staffer in 2005.
“Although VPNs pose special challenges for SIGINT (signals intelligence) collection and processing, we’ve recently had notable success in exploiting these communications,” wrote the author of the document, an article for the internal NSA news site SIDtoday. The author added that the NSA’s Network Analysis Center had been focusing on “VPN SIGINT Development (SIGDev) for over three years now, and the investment is paying off!” The article does not say what VPN technology any of the targets used, nor does it give any technical details on how the NSA broke the encryption on them.
The technical details that describe how the NSA exploits VPNs are a closely-guarded secret, according to another SIDtoday article, from December 2006. “Exploiting VPNs makes use of some of the newest state-of-the-art techniques,” the article stated, “and because of this, the exploitation details are held closely and generally not available to field sites.” The author went on to describe a tool called VIVIDDREAM that lets analysts who discover new VPNs test whether the NSA has the capability to exploit it, all without revealing to the analyst any sensitive information about how the exploit works.
Documents provided to news organizations by Snowden do not conclusively list which VPN technologies have been compromised by the NSA and which have not. However, there have been a number of news reports about the NSA’s VPN hacking capabilities based on these documents, and cryptographers who have reviewed them have come up with some educated guesses.
In 2014, The Intercept reported on the NSA’s plans, dated August 2009, to use an automated system called TURBINE to covertly infect millions of computers with malware. The revelations described a piece of NSA malware called HAMMERSTEIN, installed on routers that VPN traffic traverses. The malware was able to forward VPN traffic that uses the IPSec protocol back to the NSA to decrypt. However, the documents did not explain precisely how the decryption occurred.
Later that year, Der Spiegel published 17 documents from the Snowden archive related to the NSA’s attacks against VPNs, many of them providing more details about TURBINE, HAMMERSTEIN, and related programs.
There are many different VPN protocols in use, some of them known to be less secure than others, and each can be configured in ways to make them more or less secure. One, Point-to-Point Tunneling Protocol, “is old and insecure and there are a bunch of known security vulnerabilities since forever,” Nadia Heninger, cryptography researcher at the University of Pennsylvania, told me in an email. “I would not at all be shocked if these were being exploited in the wild.”
The NSA also appears to have, at least in some situations, broken the security of another VPN protocol, Internet Protocol Security, or IPSec, according to the Snowden documents published by The Intercept and Der Spiegel in 2014.
“For both TLS and IPsec, there are both secure and insecure ways of configuring these protocols, so they can’t really be labeled as blanket ‘secure’ or ‘insecure,’” Heninger explained. “Both protocols offer a zillion configurable options, which is a source of a lot of the published protocol-level vulnerabilities, and there are cipher suites and parameter choices for both protocols that are definitely known to be cryptographically vulnerable.” Still, she was “pretty confident” that there are ways to configure TLS and IPsec that “should resist all known attacks.”