The volley of statements and denials from companies including Cisco, HP, Dell, Microsoft, Juniper, Huawei, Apple and Western Digital follow an explosive article in German magazine, Der Speigel, which coincided with a speech from security specialist and hacker Jacob Applebaum at the 30th Chaos Computer Conference, Hamburg, Germany.
During the speech, on 31st December, Applebaum, a cryptography expert, revealed leaked NSA slides detailing the agency’s exploits.
He was also named as the author of the Der Speigel article which listed the names and details of NSA exploits, which allowed them to spy on data moving through the switches and routers of the world biggest networking vendors.
He also revealed alleged NSA exploits targeting the world’s most popular servers manufactured by Dell and HP.
Applebaum told the conference by naming the companies he hoped it would build pressure on vendors to come clean on whether they were accomplices or victims.
“Every year the number of people hired to break into people’s computers is growing,” he said.
“In order to have truth and reconciliation we need a little truth.”
Applebaum told the conference the NSA had cracked the server hardware systems at the BIOS level.
Basic Input Output System is the firmware that provides the most basic instructions to a system.
If malware is inserted in the BIOS, security experts will have no way to locate it, even when they can see the result.
One of the leaked slides specifically referred to Dell’s PowerEdge servers (1850, 2850, 1950).
It said all of the servers featured a vulnerability which allowed the NSA to compromise the BIOS using remote access or a USB stick.
John McClurg, Vice President, Global Security, Dell, categorically denied assisting the NSA in a blog post.
“Our highest priority is the protection of customer data and information, which is reflected in our robust and comprehensive privacy and information security programme and policies,” he said.
“We take very seriously any issues that may impact the integrity of our products or customer security and privacy.
“Should we become aware of a possible vulnerability in any of Dell’s products we will communicate with our customers in a transparent manner as we have done in the past.
“Dell does not work with any government – United States or otherwise – to compromise our products to make them potentially vulnerable for exploit.
“This includes ‘software implants’ or so-called ‘back doors’ for any purpose whatsoever.”
HP said it was not aware of any of the information presented in the Der Spiegel article and that it was not aware of any NSA efforts to compromise their gear.
“HP’s privacy and security policies are quite clear: we do not knowingly develop products to include security vulnerabilities,” HP said in a statement.
Juniper Networks released a statement which said it was not aware of any so-called ‘BIOS implants’ in its products and that it had not assisted any organisation or individual in the creation of such implants.
“Juniper maintains a Secure Development Lifecycle, and it is against Juniper policy to intentionally include ‘back doors’ that would potentially compromise our products or put our customers at risk,” it said.
“We take allegations of this nature very seriously and are working actively to address any possible exploit paths.”
Cisco’s Chief Security Officer John Stewart denied any collusion with the NSA.
In a blog post he said Cisco was deeply concerned with anything that may impact the integrity of its products or its customers’ networks and would continue to seek additional information,”
“At this time, we do not know of any new product vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues.
“We do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products.”