Security researcher Jacob Appelbaum dropped a bombshell of sorts earlier this week when he accused American tech companies of placing government-friendly backdoors in their devices. Now Texas-based Dell Computers is offering an apology.
Or to put it more accurately, Dell told an irate customer on Monday that they “regret the inconvenience” caused by selling to the public for years a number of products that the intelligence community has been able to fully compromise in complete silence up until this week.
Dell, Apple, Western Digital and an array of other Silicon Valley-firms were all name-checked during Appelbaum’s hour-long presentation Monday at the thirtieth annual Chaos Communication Congress in Hamburg, Germany. As RT reported then, the 30-year-old hacker-cum-activist unveiled before the audience at the annual expo a collection of never-before published National Security Agency documents detailing how the NSA goes to great lengths to compromise the computers and systems of groups on its long list of adversaries.
Spreading viruses and malware to infect targets and eavesdrop on their communications is just one of the ways the United States’ spy firm conducts surveillance, Appelbaum said. Along with those exploits, he added, the NSA has been manually inserting microscopic computer chips into commercially available products and using custom-made devices like hacked USB cables to silently collect intelligence.
One of the most alarming methods of attack discussed during his address, however, comes as a result of all but certain collusion on the part of major United States tech companies. The NSA has information about vulnerabilities in products sold by the biggest names in the US computer industry, Appelbaum said, and at the drop off a hat the agency has the ability of launching any which type of attack to exploit the flaws in publically available products.
The NSA has knowledge pertaining to vulnerabilities in computer servers made by Dell and even Apple’s highly popular iPhone, among other devices, Appelbaum told his audience.
“Hey Dell, why is that?” Appelbaum asked. “Love to hear your statement about that.”
Equally as curious were Dave Waterson and Martijn Wismeijer — two IT experts who took to Twitter to express their outrage before Appelbaum’s lecture was even presented and preliminary information about the NSA leaks were published in an article he co-authored for Germany’s Der Spiegel magazine.
“NSA planet backdoors to access devices from Cisco, Dell, Western Digital, Seagate, Maxtor and Samsung,” Waterson wrote in a tweet that linked to a CNET article from Sunday that quoted from Der Spiegel’s top-secret documents.
“Thanks,” Wismeijer wrote on Monday. “I just found out my Dell server has NSA bug in Rand BIOS,” he said of one critical component that’s easily exploited, according to Appelbaum.
@DavidLWaterson Thanks I just found out my #Dell server has #NSA bug in RAID Bios. @DellCares You obviously don't care about your customers!
— Martijn Wismeijer (@twiet) December 30, 2013
TechDirt reporter Mike Masnick noticed early Tuesday that Dell’s official customer service Twitter account opted to issue a cookie-cutter response that drips of insincerity.
“Thanks you for reaching out and regret the inconvenience,” the Dell account tweeted to Wismeijer. “Our colleagues at @DellCaresPro will be able to help you out.”
“Inconvenience? You got to be F*ckin kidding me!” Wismeijer responded. “You place an NSA bug in our servers and call it an inconvenience?”
@DellCares@dellcarespro Inconvenience? You got to be F*ckin kidding me! You place an NSA bug in our servers and call it an inconvenience?
— Martijn Wismeijer (@twiet) December 31, 2013
“There are times when big brands with ‘social media people’ might want to teach those junior level employees to recognize that using one of the standard ‘scripted’ answers might be inappropriate,” opined Masnick.
Appelbaum didn’t leave Dell off the hook after revealing just that one exploit known to the NSA, however. Before concluding his presentation, he displayed a top-secret document in which the agency makes reference to a hardware implant that could be manually installed onto Dell PowerEdge servers to exploit the JTAG debugging interface on its processor — a critical circuitry component that apparently contains a vulnerability known to the US government.
“Why did Dell leave a JTAG debugging interface on these servers?” asked Appelbaum. “Because it’s like leaving a vulnerability in. Is that a bugdoor, or a backdoor or just a mistake? Well hopefully they will change these things or at least make it so that if you were to see this, you would know that you have some problems. Hopefully Dell will release some information about how to mitigate this advance persistent threat.”
Appelbaum also provoked Apple by acknowledging that the NSA boasts of being able to hack into any of their mobile devices running the iOS operating system.
“Either they have a huge collection of exploits that work against Apple products — meaning they are hoarding information about critical systems American companies product and sabotaging them — or Apple sabotages it themselves,” he said.
“Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone,” the company responded through an official statement on Tuesday. “Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.”
Meanwhile, other top-tier computer companies have already addressed Der Spiegel and Appelbaum’s allegations that they either colluded with the NSA or complied with the spy firm as they exploited vulnerabilities, known or unknown, in their own products. A representative for Microsoft told the Huffington Post on Monday that their companies “does not provide any government with direct or unfettered access to our customer's data” and said the tech giant “would have significant concerns if the allegations about government actions are true," but a Washington, DC representative for Chinese company Huawei was more upfront when reached for comment by Wired about any cooperation with the US government or other entities.
“We read the media reports, and we’ve noted the references to Huawei and our peers,” Huawei vice president William Plummer told Wired from the US capital. “As we have said, over and over again — and as now seems to be validated — threats to networks and data integrity can come from any and many sources.”
“Everything that the United States government accused the Chinese of doing — which they are also doing, I believe — we are learning that the United States government has been doing to American companies,” Appelbaum said towards the end of Monday’s presentation. “That to me is really concerning and we’ve had no public debate about these issues.”