Report accuses BT of supplying backdoors for GCHQ and NSA

Researchers accuse BT of placing backdoors into firmware, linking their modems to network in the U.K. with IPs assigned to the U.S. Department of Defense

A paper released earlier this month by a group of security researchers has outlined the technical details behind a potential Computer Network Exploitation (CNE) program likely used by the U.K. Government Communications Headquarters (GCHQ) and their American counterpart, the NSA.

[Spy agencies in the U.S. and U.K. bypass widely used encryption protocols]

Moreover, the researcher's say that one of the largest telecom providers in the world, BT Group (formerly British Telecom), ships hardware to the home and office with firmware that enables this secretive surveillance on a massive scale.

In a paper titled The Internet Dark Age the researchers say that BT is shipping hardware with backdoors that allow secret government access in order to make network compromise easier. "BT are directly responsible for covertly embedding secret spy equipment in millions of homes and businesses within the U.K.," the paper states.

The authors of the paper, (who stated that while they wish to remain anonymous, are ready to appear in a court of law and present their findings) claim to have discovered a key piece to the global surveillance puzzle, addressing several questions that have gone unanswered since documents leaked by former NSA analyst Edward Snowden started appearing this summer. The researchers said that they made their discovery in June, but held the report for an additional six months in order to do additional research and study.

The most critical question in the wake of the Snowden leaks centers on the technical details of how the NSA and GCHQ perform CNE operations on residential and Small Office and Home Office (SOHO) networks, as well as global enterprise.

Weeks prior to the release of The Internet Dark Age it emerged that the NSA and the GCHQ had infected more than 50,000 networks globally as part of their CNE efforts. But the reports on such actions never explained how this was accomplished. Prior reports on the existence of agency hackers and network penetration specialists also left the details of their actions to speculation. The public knows they exist, but not how they operate.

The information in the anonymously published paper doesn't come from access to classified information. Instead, the details come from forensic analysis of private SOHO networks located in the U.K., which the researchers say was conducted "legally, and on private property using privately owned equipment."

[NSA revelations bolstering demands for congressional action]

While the focus centers mainly on the U.K. and the GCHQ, the paper's authors believe that the activity itself isn't limited to the U.K. at all. Given the information that has been leaked publically about government CNE operations, and partnerships between the NSA and GCHQ, there is little reason to doubt that the knowledge of paper's outlined exploitation techniques isn't shared between the two agencies.

In September, as part of an article written for the Guardian after reading several documents leaked by Snowden, BT's Bruce Schneier, commented that the NSA goes after network devices directly.

"The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on," Schneier wrote.

[UK spy agency reportedly intercepted email of delegates at G20 meetings in 2009]

"This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability."

In their opening summation, the authors of The Internet Dark Age reference Schneier's comments and say that their research serves as "verifiable proof that Bruce Schneier's statements are indeed correct."

The Hack:

According to the paper, a secondary hidden network and IP address is assigned to a BT user's modem, which enables the attacker (in this case the NSA or GCHQ) direct access to their modem, and the systems on their LAN from the Internet.

The researchers tested BT Open Reach modems Huawei EchoLife HG612 and ECI B-FOCuS VDSL2. In a side note, they point out that BT developed the firmware, so claims of Huawei being responsible for the backdoors are false.

In addition, the researchers used unmodified firmware to conduct their tests, but note that their results can be duplicated using modified firmware as well, as those versions exist with the same backdoors, because they're based on official BT release GNU source code.

Once the connection is made, the secondary network cannot be detected at a glance, as it isn't visible via the modem's web interface, and isnt subject to firewall rules or other limitations, as far as the switch portion of the modem is concerned. Even before the PPPOE request is issued, and an IP assigned by the ISP, the secondary network is fully operational, even if the modem is believed to be offline.

The authors discovered that the secondary network in question (CDIR: uses a block of IPs maintained by the U.S. Department of Defense (USDOD), and that traffic on this network is hidden due to the usage of a VLAN. Although the IP addresses are owned by the USDOD, the paper adds, a ping time to the gateway is less than 8ms from within the U.K.

[Privacy group sues UK government over surveillance programs]

"This spy network is hidden from the LAN/switch using firewall rules and traffic is hidden using VLANs in the case of BT et al, it uses VLAN 301, but other vendor's modems may well use different VLANs," the paper explains.

Inside the modem itself, other tools and services (routing daemons, SSH, iptables, etc.) are enabled that grant the operators of the secondary network total control over modem and routing functionality. Thus, the modem acts as a server, listening to for connections on several ports, including ports 22 and 23. This gives the operators on the other network remote access to the modem and LAN, while denying the same access to the owner.

This is possible because of a hidden bridged interface exists with its own VLAN that isn't subject to the modem's firewall rules. Scanning the modem's public IP from the outside will show port 161 open (BTAgent), but nothing else for the most part. However, from the secondary network, all necessary ports are said to be open, including an SSH daemon running with basic authentication (admin/admin).

The access and control granted via this secondary network, the paper's author assert, enables its operators to steal private keys (VPN/SSH/SSL/PGP), install malware or other monitoring software such as keyloggers, copy or remove content, perform passive traffic monitoring, and perform traffic routing, including controlling traffic based on protocol or port. Furthermore, the paper outlines other granular attacks on VoIP, mobile devices (as long as the device is connected to the customer's wireless network). The authors also warn of Tor User/Content discovery via LAN packet fingerprinting.

[NSA spreading malware to further goals for more power]

"The attacker can stain packets leaving your network and before entering the Tor network, making traffic analysis much easier than was previously known. All Tor traffic can be redirected to a dedicated private Tor network controlled by the attacker, in this way the attacker controls ALL Tor nodes and so can see everything you do from end-to-end. This is not something the Tor project can fix," the paper explained.

To combat this, the paper recommends that Tor hidden services drop all traffic from un-trusted Tor nodes, so that clients running in the simulated Tor network will fail to connect to their destination.

The authors of the paper acknowledge that VLAN usage isn't required for the attacker to route traffic using the backdoors in the BT firmware. However, doing so, shields their activities at the ISP, and allows isolation on their own network.

"You should note that the routing to the attackers network does not require any assistance from the ISP, unless the victims modem device (end-point) has no backdoor, in which case routing can still happen upstream, but this is much more complicated and not scale-able. If routed upstream, the attacker will not have access to the user's internal LAN network, and in this case the ISP would be forced to use Lawful Interception which would then require a legal warrant," they wrote in an email to an ISP manager, who questioned their research.

In an attempt to address the problem, the paper's authors offer other recommendations geared towards protection, which range from basic defense, to mitigations geared towards network design. The paper splits its advice between inbound and outbound defenses, as well as Man-in-the-Middle, with outbound being noted as the only measure that will protect Tor clients.

"This clearly demonstrates that the UK Government, U.S. Government, U.S. Military and BT are co-operating together to secretly wiretap all Internet users in their own homes (with few exceptions). The modems are provided by BT and locked down. If you cannot confirm otherwise, you must assume that all ISPs in the UK by policy have the same techniques deployed," the authors said, summarizing their findings.

[Privacy group files OECD complaints over UK telco spying]

Objectively, while the report does raise serious concerns, this is the only report of its kind. While the ability to reproduce the findings exists, no other researchers have taken on the task.

When asked for comment, BT responded to CSO with a statement saying, "We comply with the law wherever we operate and do not disclose customer data in any jurisdiction unless legally required to do so."

On the issue of the USDOD IP address referenced by the paper's authors, that block of addresses has been used by many firms over the years. It's a valuable piece of IPv4 real-estate that is often enabled internally by an ISP after they've gotten permission from the Defense Information Systems Agency (the part of the USDOD that manages networks and infrastructure).

Just last year, Sprint was using IPs internally from that block for their mobile network. So the fact that BT would be using it too isn't a shock to network engineers who have seen the paper.

In short, one security expert told CSO, the usage of 30.x.x.x /8 doesn't really imply NSA monitoring at all. In fact, he added, "If you want a non-routable IP that won't break when using it, [the] DOD is your best choice."

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)