BT ROUTER SURVEILLANCE – Report accuses BT of supplying backdoors for GCHQ and NSA
Researchers accuse BT of placing backdoors into firmware
CSO – A paper released earlier this month by a group of security researchers has outlined the technical details behind a potential Computer Network Exploitation (CNE) program likely used by the U.K. Government Communications Headquarters (GCHQ) and their American counterpart, the NSA.
Moreover, the researcher’s say that one of the largest telecom providers in the world, BT Group (formerly British Telecom), ships hardware to the home and office with firmware that enables this secretive surveillance on a massive scale.
In a paper titled The Internet Dark Age the researchers say that BT is shipping hardware with backdoors that allow secret government access in order to make network compromise easier. “BT are directly responsible for covertly embedding secret spy equipment in millions of homes and businesses within the U.K.,” the paper states.
In September, as part of an article written for the Guardian after reading several documents leaked by Snowden, BT’s Bruce Schneier, commented that http://www.csoonline.com/article/741494/nsa-revelations-bolstering-demands-for-congressional-action.
“The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on,” Schneier wrote.
“This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability.”
In their opening summation, the authors of The Internet Dark Age reference Schneier’s comments and say that their research serves as “verifiable proof that Bruce Schneier’s statements are indeed correct.”
According to the paper, a secondary hidden network and IP address is assigned to a BT user’s modem, which enables the attacker (in this case the NSA or GCHQ) direct access to their modem, and the systems on their LAN from the Internet.
The researchers tested BT Open Reach modems Huawei EchoLife HG612 and ECI B-FOCuS VDSL2. In a side note, they point out that BT developed the firmware, so claims of Huawei being responsible for the backdoors are false.
In addition, the researchers used unmodified firmware to conduct their tests, but note that their results can be duplicated using modified firmware as well, as those versions exist with the same backdoors, because they’re based on official BT release GNU source code.
Once the connection is made, the secondary network cannot be detected at a glance, as it isn’t visible via the modem’s web interface, and isnt subject to firewall rules or other limitations, as far as the switch portion of the modem is concerned. Even before the PPPOE request is issued, and an IP assigned by the ISP, the secondary network is fully operational, even if the modem is believed to be offline.
The authors discovered that the secondary network in question (CDIR: 18.104.22.168/8) uses a block of IPs maintained by the U.S. Department of Defense (USDOD), and that traffic on this network is hidden due to the usage of a VLAN. Although the IP addresses are owned by the USDOD, the paper adds, a ping time to the gateway is less than 8ms from within the U.K.
“This spy network is hidden from the LAN/switch using firewall rules and traffic is hidden using VLANs in the case of BT et al, it uses VLAN 301, but other vendor’s modems may well use different VLANs,” the paper explains.
Inside the modem itself, other tools and services (routing daemons, SSH, iptables, etc.) are enabled that grant the operators of the secondary network total control over modem and routing functionality. Thus, the modem acts as a server, listening to for connections on several ports, including ports 22 and 23. This gives the operators on the other network remote access to the modem and LAN, while denying the same access to the owner.
“This clearly demonstrates that the UK Government, U.S. Government, U.S. Military and BT are co-operating together to secretly wiretap all Internet users in their own homes (with few exceptions). The modems are provided by BT and locked down. If you cannot confirm otherwise, you must assume that all ISPs in the UK by policy have the same techniques deployed,” the authors said, summarizing their findings.