So far this week, separate reports have indicated that Russia exploited software from Kaspersky Lab to trawl US systems for classified data—in at least one case, successfully—and that North Korea hacked into classified South Korean military files. (It’s only Wednesday.) The common culprit? Antivirus software.
While antivirus software ostensibly seems like a benefit—it can stop malware from infecting your computer—many security researchers have expressed reservations about it for years. And though the recent Russian and North Korean incidents involve fairly specific circumstances, they serve as sobering reminders of just how much can go wrong when you grant deep system access to software that may not be as secure as it seems.
None of that means you should trash your personal antivirus just yet. But it’s worth understanding what you’re dealing with.
Into the Breach
A quick recap: After months of escalating hostility toward the Russian cybersecurity company and antivirus maker Kaspersky, including its complete banishment from US government agency computers, the New York Times reports that Russia has in fact used Kaspersky antivirus software to probe federal systems for US intelligence secrets.
North Korea, meanwhile, reportedly infiltrated Hauri, a South Korean company that provides antivirus software to that country’s military. By sneaking malware into the legitimate antivirus offering, The Wall Street Journal reports, North Korean hackers were able to grab classified data that included joint US-South Korea planning in event of war.
‘AV is pretty much the perfect bugging device on every computer it’s sold on.’
Bobby Kuzma, Core Security
Kaspersky denies that it has any direct connection to the Russian government, and the New York Times report that outlines Russia’s intrusion stops short of stating that the company colluded with Russian intelligence. But the two incidents underscore a troubling truth either way: Antivirus software can pose major risks, whether you’re an intelligence service or an everyday computer user.
“AV is pretty much the perfect bugging device on every computer it’s sold on,” says Bobby Kuzma, systems engineer at Core Security. “You’ve got this piece of software that’s in a position to see everything on your computer.”
That privileged status makes it possible for antivirus software to do its job, but also makes it an attractive target to well-heeled hackers.
“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts, and contrary to erroneous reports, Kaspersky Lab software does not contain any undeclared capabilities such as backdoors as that would be illegal and unethical,” the company says in an emailed statement.
But the North Korea incident shows that antivirus companies can be compromised without any sort of backroom agreement. And in fact, security analysts caution, the nature of antivirus makes detecting those vulnerabilities exceedingly difficult.
Think of it like this: You’re responsible for defending an impossibly large compound, filled with all sorts of tunnels and chambers and rooms, each containing prized secrets. Attacks are near-constant, and your enemies use ever-evolving tools to let them sneak and snoop and steal undetected.
To do your job effectively, you’d probably want to know exactly what’s happening everywhere in that edifice at any given time. A camera in every room, say, or even a guard. You’d want the ability to thoroughly inspect any new deliveries to make sure they don’t contain anything malicious. In short, to achieve your goal of complete protection, you’d have to turn that complex into a Panopticon.
That’s antivirus software. It sees all, it knows all, and it has total access. Which means that if and when someone compromises it—like, say, Russian intelligence services—they, too, have system-wide omnipotence.
And like any software, antivirus can’t promise infallibility. Last year, Google’s Tavis Ormandy discovered critical vulnerabilities across all of Symantec’s antivirus products. And the so-called DoubleAgent attack, discovered this past spring, demonstrated how a Microsoft debugging tool could be used to turn antivirus software into the ultimate spyware.
“It is a complex software, normally. That means it carries a lot of code,” says Udi Yavo, CTO of data security company Ensilo. “A lot of code usually means potential bugs. AV, like any other complex software, may have vulnerabilities which may expose the user.”
All of which paints a bleak image of antivirus. But it also obscures the fact that AV has very real benefits for the average consumer—which, in most cases, well outweigh the risks.
Risk and Reward
For governments or high-profile targets, using antivirus requires real caution to balance the potential risks with the benefits. Identifying compromised antivirus software can be exceedingly difficult, because antivirus by design acts aggressively. And because of its all-encompassing powers, it’s a likely target not just of Russia and North Korea, but any country with an advanced intelligence operation.
“We know that the US government has solicited participation from technology vendors in the United States in the past, whether through official channels or more covert mechanisms such as National Security Letters,” says Kuzma. “There’s no reason why other foreign governments cannot compel the same type of cooperation from companies that are based in their territory.”
But what makes antivirus potentially alarming is the same thing, oddly enough, that makes it relatively safe for personal use. Ultimately, it’s just one of countless ways that bad actors could potentially access your data. But the time and effort it takes to successfully wield it means the likeliest victims of antivirus-based attacks are specific targets of nation-states or well-funded criminal syndicates.
“Any widely used software could be leveraged in the same way, not only AVs,” says Mohammad Mannan, a security researcher at Concordia University who has studied antivirus vulnerabilities.
Hackers can target browsers, email clients, chat clients background processes; Mannan points to a long list of threat vectors that individuals face every day. An antivirus could cause more devastation, but even the nature of that sort of attack makes it more likely to apply to covert action than the kind of smash-and-grab malware that typically plagues consumers.
“It always depends on the purpose. If you’re going for espionage, then it’s a very good target,” says Yavo. “If you’re going for distributing ransomware, it’s probably not the best target, because you’re going to put relatively a lot of effort in something that’s going to be discovered anyway.”
So while Best Buy and Office Depot pull Kaspersky products from their shelves, Russia’s actions shouldn’t necessarily turn you off of it—or of antivirus altogether. It does provide a legitimate service. And while ditching it may help you avoid a wrecking ball, doing so could expose you to a thousand tiny punches that could end up hurting just as badly.