Skip to main content

NSA Knew About Heartbleed, Did Nothing, Sources Say

UPDATED 5:45 PM EDT Friday with denial from NSA.

Did the National Security Agency (NSA) know about the Heartbleed Internet security flaw for the past two years? That's what two anonymous sources told Bloomberg News reporter Michael Riley.

The NSA not only said nothing about the serious bug that compromised the OpenSSL encryption library used by millions of websites, but it also used the bug to gather intelligence, Riley's sources told him. 

MORE: Heartbleed Bug: Information, Advice and Resources

If the NSA did know about Heartbleed, it could have used the bug to get data from any Internet-facing server using a vulnerable version of OpenSSL since the flaw was accidentally implemented in January 2012. Such data would include usernames, passwords, encryption keys, search history, private messages and more.

The NSA (or anyone who exploited the Heartbleed bug) could also have used encryption keys stolen through Heartbleed to decrypt traffic to and from a vulnerable server, or even impersonate a server to fool users into visiting fake versions of real websites.

No one has yet proven that the Heartbleed bug has been exploited by the NSA, other intelligence groups or by cybercriminals. Using the Heartbleed bug to extract protected data leaves no trace in the affected server's logs. Bloomberg's sources are described only as "familiar with the matter."

If the NSA knew about Heartbleed and did nothing to alert others of it, is the agency — which secures federal government networks, and advises the public on computer security — negligent for allowing millions of Americans' data to be exposed by the bug?

Some security experts say it is.

"It flies in the face of the agency's comments that defense comes first," Jason Healey, director of the cyber statecraft initiative at the Atlantic Council told Bloomberg.  "They are going to be completely shredded by the computer security community for this."

The NSA has not officially commented on the Heartbleed accusations. But last month the NSA's new director, Vice Admiral Michael Rogers, said during his confirmation hearing that "the default is to disclose vulnerabilities in products and systems used by the US and its allies."

"If the NSA really knew about Heartbleed, they have some serious explaining to do," tweeted Matthew Green, a security expert and cryptography professor at Johns Hopkins University in Baltimore.

UPDATE: In a statement, the NSA and the Office of the Director of National Intelligence denied that the NSA knew of Heartbleed before last week.

"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong," the statement read. "The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report."

"If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," the statement continued. "When Federal agencies discover a new vulnerability in commercial and open source software — a so-called 'zero day' vulnerability ... — it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose."

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.