More on this book
Community
Kindle Notes & Highlights
discovered a zero-day exploit in the Jeep Cherokee that allowed them to seize control of the steering wheel, disable the brakes, screw with the headlights, indicators, wipers, and radio and even
cut the engine from a remote computer thousands of miles away. Eight months later, the automaker was still dealing with the fallout.
hotel elevator ran on the same vulnerable platform as the hacked Jeep.
What Charlie found late one evening in 2006 was the type of bug most could spend a lifetime searching for and never find—the kind of zero-day that could have allowed him to run amok through NASA’s computer systems or hijack the password to a Russian oligarch’s trading account.
But Charlie blew a hole right through that theory. He demonstrated before an audience of hundreds how easily he could remotely control anyone’s iPhone simply by steering their browser to a malicious website he created.
When Google unveiled a beta-version of its Android operating system that year, Charlie couldn’t help himself. He broke it almost immediately with an exploit that made it possible to remotely capture an Android user’s every keystroke, text, password,
KGB planted bugs in its teleprinters, which had relayed all their incoming and outgoing telegrams to the Soviets for six years.
the bugs could be anywhere: their printers, copiers, typewriters, computers, crypto gear—anything plugged into a wall. The Soviets had proven themselves creative geniuses when it came to eavesdropping.
tiny electronic unit recording every disturbance, cataloging the underlying data, and transmitting the results in short bursts via radio to a nearby Soviet listening post. The entire implant could be controlled by remote control and had been specifically designed to allow the Soviets to turn it off when American inspectors were in the area.
Years later, the NSA would turn the same trick on iPhones, computers, and on America’s biggest technology companies, capturing data as it flowed between Google and Yahoo’s data centers in unencrypted form.
lock down anything that plugged into an outlet.
“Think about it,” he told me one day. “Nothing is American-made anymore. Do you really know what’s in your phone, or in your laptop?”
And yet here we were, entrusting our entire digital lives—passwords, texts, love letters, banking records, health records, credit cards, sources, and deepest thoughts—to this mystery box, whose inner circuitry most of us would never vet, run by code written in a language most of us will never fully understand.
As Gosler spoke, my mind went straight to Apple’s haggard, faceless factory workers in China. In my mind, that factory worker now had a face, and his dormitory now had a mattress stuffed with all the cash foreign spies had been paying him in bribes to swap in their spiked encryption chip—the one with the weak crypto that cryptographers back at Fort Meade, or Cheltenham, or Moscow, or Beijing, or Tel Aviv,
could easily crack....
This highlight has been truncated due to consecutive passage length restrictions.
the United States was now up against a growing list of complex national security threats: the proliferation of nuclear, biological, and chemical weapons; criminal groups and drug cartels; regional instability in the Middle East and Africa; and new and unforeseen terrorist threats.
The U.S. national security apparatus,
was collecting more data on more targets around the globe than it ever had in history, and yet it had missed critical intelligence. It had failed to connect the dots.
before the planes hit, they discovered that they’d had everything they would have needed to prevent the attacks.
collect Americans’ phone records in bulk,
mandated that America’s biggest telecoms turn over metadata for every single call made into, out of, and wholly within the
United States.
looking at any computers of consequence—in government, in Congress, at the Department of Defense, aerospace, companies with valuable trade secrets—we’ve not examined one yet that has not been infected,” by China.
highly classified NSA software program code-named Genie began aggressively embedding implants not just in foreign adversaries’ systems but in nearly every major make and model of internet router, switch, firewall, encryption device, and computer on the market.
American officials routinely point out that Huawei’s founder, Ren Zhengfei, “China’s Steve Jobs,” was a former Chinese PLA officer, and warn that Huawei’s equipment is riddled with Chinese backdoors.
learned from leaked classified documents that the NSA had pried its way into Huawei’s headquarters in Shenzhen, years ago, stolen its source code, and planted its own backdoors in the company’s routers, switches, and smartphones.
Hundreds of thousands of NSA implants were deeply embedded in other foreign networks, routers,
switches, firewalls, computers, and phones around the globe. Many were actively siphoning texts, emails, and conversations back to the agency’s server farms every day. Many others were sleeper cells, dormant until called upon for a rainy day or some future shutdown—or all-out cyberwar.
nobody apparently stopped to ask whether in their zeal to poke a hole and implant themselves in the world’s digital systems, they were rendering America’s critical infrastructure—hospitals, cities, transportation, agriculture, manufacturing, oil and gas, defense; in short, everything that undergirds our modern lives—vulnerable to foreign attacks. There
But in 2009, without any debate at all, in the cordoned-off copper walls of Fort Meade, the United States set new rules for cyberwar.
Starting that year, it was not only acceptable to implant code in a foreign nation’s critical infrastructure; now the United States made it perfectly okay to reach across a border and take out another nation’s nuclear program. So long as nobody ever uttered a word about it. And so long as it did so with code.
“The most likely way for the world to be destroyed, most experts agree, is by accident.
The code would need to lie dormant, undetected, over time, so as not to blow their
Stuxnet
generic, in the sense that there was nothing in the code to prevent others from firing the very same weapon at the very same Windows and Siemens computers—computers that control the world’s water pumps, air-conditioning systems, chemical plants, power
grids, and manufacturing plants. The world should be forewarned, Langner said, that the next worm migh...
This highlight has been truncated due to consecutive passage length restrictions.
United States may have thwarted a conventional war, but in releasing Stuxnet on the world, it opened up
entirely new battlefront. The worm had crossed the Rubicon from defensive espionage to offensive cyberweapon, and in just a few years, it would come boomeranging back on us.
Somebody just used a new weapon, and this weapon will not be put back in the box.”
Smartphones were now real-time trackers, digitizing a person’s every movement, relationship, purchase, search, and noise.
Retailers could now trace a customer’s purchase to the “smart” billboard they drove by days earlier.
The cost to record, store, disseminate,
February 2011 IBM’s Watson computer made its first public debut on Jeopardy!,
short eight months later, Apple introduced the world to Siri, our new voice assistant, whose high-quality voice recognition and natural language processing let us send emails and texts and set reminders and playlists.
Der Spiegel leak is how the world came to know about Dropoutjeep, the TAO exploit developed specifically for the iPhone, the one that could do all the usual text, phone call, and location monitoring, hot-miking and photo snapping, even when the iPhone was offline.
A zero-day exploit in the NSA’s arsenal could not be tailored to affect only a Pakistani intelligence official or an al-Qaeda operative. American citizens, businesses, and critical infrastructure would also be vulnerable if that zero-day were to come into the hands of a foreign power, cybercriminal, or rogue hacker.
American businesses, hospitals, electric utilities, nuclear plants, oil and gas pipelines, transportation systems—planes, trains, and automobiles—relied on the same applications and hardware the NSA’s arsenal exploited.
That year, having ironically spawned the zero-day market and launched the world into the era of cyberwar, Keith Alexander, Stuxnet’s architect, was asked what kept him up at night. “My greatest worry,” Alexander told a reporter, was the
growing likelihood of zero-day exploits falling into the wrong hands.
working on a mobile app that could detect government surveillance on smartphones.
