Cybersecurity report from Middle-earth

Analysis of Sauron’s hacking tools implemented in the devices known as Rings of Power.

What do Tolkien’s works say? Some read them as entertainment, others as profound Christian philosophy, still others as propaganda. As for me, I see cybersecurity parables. And just because these past few years I’ve been seeing them all over the place doesn’t mean they’re not also in Tolkien.

After all, did you know that shortly before the outbreak of WW2, Tolkien was trained at the British Government Code and Cypher School as a cryptanalyst? That’s the organization that went on to crack the German Enigma codes. Later it was rebranded as GCHQ — the service responsible for providing signals intelligence and information assurance to the British government and armed forces. Clearly, Tolkien’s combined skills as a linguist and a cryptanalyst were needed to decrypt enemy cyphers. That’s definitely information security we’re talking about. Therefore, in a way, Tolkien is an esteemed colleague of ours. So, let’s look at his works from a cybersecurity point of view.

Rings of Power

The plot of The Lord of the Rings largely revolves around the One Ring, created by Sauron to rule the world. It controls 19 other rings, three of which are worn by Elves, seven by Dwarves, and nine by Men. The book’s protagonists fear that if the One Ring returns to its creator, he will acquire frightful power and impose his will on everything.  Sounds like fantasy, but dig a bit deeper and it becomes clear that it’s actually proper sci-fi.

Three Rings for the Elven-kings under the sky

When I read Tolkien’s books back in childhood, it was the story of the Elven Rings that seemed the most incomprehensible. Supposedly forged by Elven smiths, they were untouched by the Dark Lord. However, they were created using the dark arts of Sauron and thus were still bound to the One Ring. Therefore, the Elves kept their rings securely hidden as long as the One remained with Sauron. What does it matter, or so it seemed, how the rings were made if they were created for good?

It matters a lot, as is now plain to see. Examining the situation from a modern perspective and in terms of information security, you get this:

  • The Elves produce three devices in-house;
  • The firmware for them is created using an SDK developed by Sauron;
  • The address of the One Ring C&C center is hard-coded into the rings;
  • Knowing that, the Elves are wary of using their devices while Sauron controls the C&C server.

In other words, it’s a classic supply chain attack. Only in this case, the Elves were able to identify the threat in time to take the vulnerable devices out of operation as a precaution.

Seven for the Dwarf-lords in their halls of stone

The Seven Rings were given to the Dwarf-lords by Sauron himself. The Dwarves were said to have used them to accumulate wealth. According to the book, the wearers did not succumb directly to Sauron’s control, but the rings significantly increased their avarice. Therefore, by influencing their greed and anger, Sauron managed to bring about the downfall of the seven Dwarf-lords.

Unfortunately, the Seven Rings were lost long before the events described in The Lord of the Rings, so a forensics analysis of these devices is not possible. But exploiting greed is a typical phishing technique. Cybercriminals manipulate the way device owners perceive information, which ultimately leads to their downfall. If that isn’t a phishing attack, what is?

Nine for Mortal Men doomed to die

Here there is not much to explain. Sauron gave the Nine Rings to Mortal Men: kings, sorcerers, and warriors of old. The wearers became virtually immortal, invisible, and obedient to the will of Sauron. In other words, a botnet.

Interestingly, the Nazgûl botnet seems to have had a backup control protocol; even after losing the C&C server, Sauron was able to command his Ringwraiths.

One for the Dark Lord on his dark throne

Our encyclopedia describes a C&C server as a server through which cybercriminals control botnets, send malicious commands, manage spyware, etc. Is the One Ring any different?

When the One Ring is destroyed, all subordinate rings lose their power. It is possible that a periodic C&C availability check was built into the firmware, plus a self-destruction mechanism to be activated on losing communication. Such behavior is very familiar to our cyberthreat analysts. Cybercriminals frequently use self-destruct mechanisms to obstruct forensics.

One Ring to rule them all,
One Ring to find them,
One Ring to bring them all
and in the darkness bind them

Not for nothing are these closing lines engraved on the inside of the ring. Remember why the One Ring is also known as Isildur’s Bane? Surrounded, Isildur put on the ring, but it slipped off his finger when he tried to cross the river and thus caused his death. Gollum also lost his “precious.” And all because the inscription on the ring is an instruction. One that is seemingly incorrectly translated — or ignored entirely.

The original engraving on the ring looks as follows:

Ash nazg durbatulûk, ash nazg gimbatul,
Ash nazg thrakatulûk agh burzum-ishi krimpatul.

The last word, krimpatul, is usually translated as “bind.” But binding rings together is a rather meaningless exercise. What if this is not Black Speech at all, but instead a rough transliteration of “crimping tool,” a device well known to any IT specialist?

If so, what the inscription is in fact saying is that the ring needs to be crimped. That’s why it fell off Isildur’s finger. So the moral of the tale is that documentation needs to be read — and translated — with Gollum-like devotion, however short and simple it may seem.