bit-tech.net

BT modems have NSA back-door, claim researchers

BT modems have NSA back-door, claim researchers

A team of researchers who wish to remain anonymous have published what they claim is evidence proving BT has inserted an NSA/GCHQ back-door into modems provided to its broadband customers.

BT has been accused of hiding a government back-door in modems provided to broadband customers by a team of researchers who claim the company is not alone in providing such access to supposedly-private home networks.

Former contractor to the US National Security Agency (NSA) Edward Snowden kicked up a storm when he absconded with what is claimed to be millions of classified documents pertaining to what the military calls 'signals intelligence' and what the general public refer to as 'spying.' In selected documents leaked via the press, the US and other world governments - including our own - were accused of a system of complete data collection without oversight and without obeying legal restrictions placed upon them. From placing back-door access into closed-source cryptography products to rumours that Windows itself has NSA back-door code, to say 2013 has been a tough time for technology companies and government spies is perhaps under-egging the pudding.

Now, a team of researchers calling themselves The Adversaries have published a document (PDF warning) dubbed 'Full Disclosure: The Internet Dark Age' which accuses internet service providers (ISPs) in general and BT specifically of placing government back-doors into the modems provided to customers as part of their broadband packages.

The document starts by quoting a piece by noted cryptographer Bruce Schneier written for the Guardian, which states in part: 'The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on.'

The pseudonymous team then goes on to claim that they have the 'first independent technical verifiable proof that Bruce Schneier's statements are indeed correct.' Starting with a précis on the traffic capturing system believed to be used by the US NSA and the UK Government Communications Headquarters (GCHQ), the team make a bold claim: 'BT Broadband equipment contain [sic] NSA/GCHQ back doors.'

Gaining local access to the BT Broadband modem provided to customers using a USB serial cable wired directly to the motherboard, the team claim to have discovered a hidden virtual local area network run by the modem and connecting it directly to the NSA and GCHQ's data capture network. Not visible using any LAN-side package capture tools, nor from the connected router's administrative page, the network presents all ports to the VLAN without restriction - providing the ability to, for example, insert false entries in the DNS table as part of a man-in-the-middle attack, to access computers on the LAN side of the modem, or even to mirror all outgoing and incoming internet traffic across the VLAN for capture - a mode it is claimed to use by default.

The team further claims to have evidence that this hidden network is owned by the US Department of Defence (DoD) yet operated within the UK. 'This clearly demonstrates that the UK Government, US Government, US Military and BT are co-operating together to secretly wiretap all Internet users in their own homes,' the document warns before adding that 'if you cannot confirm otherwise, you must assume that all ISPs in the UK by policy have the same techniques deployed.'

BT has typically provided its high-end Infinity broadband product as a two-box solution, comprised of a VDSL modem and a router which connects via Ethernet cable. The document does not make clear which device is affected by the alleged back-door, but it would appear from comments on page 47 regarding physical barriers to analysis to be the separate modem - a device BT has stopped providing since the launch of the BT Home Hub 5 modem/router, which includes an integrated dual-mode ADSL/VDSL modem.

The provision of a locked-down, pre-configured modem/router for customers is a common trait of ISPs ostensibly as a means of simplifying support. The Adversaries claim a more sinister motive, pointing out that the locked-down nature of such devices makes it extremely difficult to validate their configuration. It is even claimed that while the back-door VLAN is enabled by default it is disabled selectively if the NSA or GCHQ believes a recipient may have the knowledge required to discover the hidden network.

These knowledgeable individuals are, the group claims, identified by requests to use a third-party router or modem, details of the open-source packages running on the BT-provided router, or a desire to install third-party firmware on the router. 'BT goes to extreme lengths to prevent anyone from changing the firmware,' the document claims. 'Those that come close are first subjected to physical and psychological barriers[,] and the few that overcome that are subjected to a separate NSA/GCHQ targeted social attack designed specifically to derail any engineering progress made.'

The group goes on to suggest potential ways to limit the impact of the alleged back-door, from installing a secondary open-source firewall downstream from the locked-down ISP-provided modem to protect internal networks, tunnelling of traffic out of the network through a known-good host, and one clear message: 'never trust closed source routers.'

Prior to the Snowden leaks, such claims would have seemed outlandishly paranoid - but there is mounting evidence that this is exactly that kind of caper the NSA and its partners would attempt. Technical evidence is provided towards the end of the document seemingly validating the group's claims, too, or at the very least revealing a strange kind of misconfiguration which appears as a back-door, hidden network - or, potentially, an entirely fictitious and hand-assembled collection of supposed console logs designed to give the impression of veracity.

Many security researchers are, rightly, suspicious of the team's claims. One particularly dismissive posting to the Errata Security blog explains how the use of network space seemingly assigned to the US Department of Defence might be nothing more than a mistake, with BT ignoring internet standards to co-opt the IP range for internal use as a result of its non-routable nature. That's a conclusion with which rival provider AAISP agrees, dismissing the paper with the conclusion that it 'presents no evidence that BT modems have secret spy back doors.'

In what appears to be purely coincidental timing, Bruce Schneier has left his post of Security Futurologist at BT after seven years. According to an email sent to Ars Technica, the move has nothing to do with the supposed back-door or any potential NSA/GCHQ input into BT's affairs: 'No, they weren't happy with me, but they knew that I am an independent thinker and they didn't try to muzzle me in any way,' Schneier wrote of his former employers. 'It's just time. I spent seven years at BT and seven years at Counterpane Internet Security, Inc before BT bought us. It's past time for something new.'

For BT, and other ISPs, there are certainly some questions to be answered. At the time of writing, BT had not responded to a request for comment on the document.

27 Comments

Discuss in the forums Reply
Gareth Halfacree 17th December 2013, 12:46 Quote
Added a couple of comments from people who say that the paper is making a mountain out of a decidedly not-DoD-flavoured molehill. Yes, that means an already lengthy piece is even longer. Grab a coffee.
John_T 17th December 2013, 13:20 Quote
Nothing wrong with a long article: I'd rather it was long and properly balanced than short for the sake of it. As someone who uses the BT setup I wouldn't mind seeing a follow-up to this to see whether there actually is anything in it. Not that I do anything I don't particularly want 'authorities' to know about, but you know, it's the principal of the thing...
forum_user 17th December 2013, 14:07 Quote
BT won't be able to say it is true even if it is, so, safe to assume a full denial incoming?

[homehub]
Shutdown router.
[/homehub]
Brooxy 17th December 2013, 14:21 Quote
Quote:
Originally Posted by John_T
As someone who uses the BT setup I wouldn't mind seeing a follow-up to this to see whether there actually is anything in it. Not that I do anything I don't particularly want 'authorities' to know about, but you know, it's the principal of the thing...

This. I'm also using the Homehub 4 setup, along with the Openreach Modem - if any more information about this comes up, it would be interesting to know, no matter how boring my internet history is...

Kind of scary that we've entered a time when all tinfoil hat-esque ideas are becoming more of a reality. What's next, NSA backdoor hidden in my ethernet enabled blu-ray player? GPS Tracking bug built into the ECU of my car, with dialler to dial back to the NSA? (Not likely - it's a poverty spec 2002 Golf, but you get the gist of what i'm getting at...)
Gareth Halfacree 17th December 2013, 14:29 Quote
Quote:
Originally Posted by Brooxy
This. I'm also using the Homehub 5 setup, along with the Openreach Modem
Interesting. The Home Hub 5 was the first to include a built-in dual-mode ADSL/VDSL modem, meaning it works without the Openreach VDSL modem. The instructions for the Home Hub 5, however, don't reflect this; "If you're on Infinity Option 1 or Option 2," they explain, "connect the Home Hub 5 to the modem via an Ethernet cable." When my Infinity Option 2 was fitted, the Openreach engineer didn't bring a modem; when I queried why, concerned that he was installing plain-old ADSL2+, he confirmed that they're no longer required with the Home Hub 5 - and, indeed, BT had stopped using 'em because they had a tendency to overheat.

You, however, have a Home Hub 5 and an Openreach modem - even though you don't need two boxes. When was your broadband installed, out of interest?
Brooxy 17th December 2013, 14:48 Quote
Well this is embarrasing - meant to type Homehub 4 not 5...although in answer to the question, it was installed in August I think.
Gareth Halfacree 17th December 2013, 15:10 Quote
Quote:
Originally Posted by Brooxy
Well this is embarrasing - meant to type Homehub 4 not 5.
That would explain it; the 4 has no VDSL capabilities - just ADSL. Still doesn't explain why the HH5 manual clearly states you'll get a separate modem if you're on Infinity, though.
liratheal 17th December 2013, 15:17 Quote
You know what. If it's true, anyone still using those aborted foetus' of routers deserve it.
Bindibadgi 17th December 2013, 15:29 Quote
At this point I'll not be surprised if my analogue watch is always listening to me tbh. Anyone else feel the same?
r3loaded 17th December 2013, 15:53 Quote
And kids, this is why I always use my own router with OpenWRT - and it's not just because ISP routers have horrifically crap hardware+firmware that's locked down like mad.
Atomic 17th December 2013, 16:26 Quote
Quote:
Originally Posted by r3loaded
And kids, this is why I always use my own router with OpenWRT - and it's not just because ISP routers have horrifically crap hardware+firmware that's locked down like mad.
It's not the router that has the backdoor, it was the modem so you'd not be safe.
Bloodburgers 17th December 2013, 16:29 Quote
Quote:
Originally Posted by Bindibadgi
At this point I'll not be surprised if my analogue watch is always listening to me tbh. Anyone else feel the same?

Well my watch keeps telling me things so am sure its more than capable of listening too.
GeorgeStorm 17th December 2013, 17:05 Quote
Someone I know who does networky stuff (as far as I'm aware) commented on this earlier:
Quote:
They use DOD space because it's not internet-routable, and it's for the TR-069 ( http://en.wikipedia.org/wiki/TR-069 ) service. This is *NOT* news.

The internet is full of these idiots who think they know better -- yet this one could be easily passed off by saying "why would they do it to your modem/router when they control the transport infrastructure". They'd tap it at the exchange, not your £10 Huawei modem!

It was already in NetworkWorld, AAISP have had to rebuke it, it's bonkers.
Umbra 17th December 2013, 17:15 Quote
Quote:
Originally Posted by Bindibadgi
At this point I'll not be surprised if my analogue watch is always listening to me tbh. Anyone else feel the same?

It wouldn't surprise me if my BT H%£e sm%^T ph%£$ is monitoring me
Umbra 17th December 2013, 17:16 Quote
Quote:
Originally Posted by Umbra
It wouldn't surprise me if my BT H%£e sm%^T ph%£$ is monitoring me

OK, That's weird, who censored my post :)
RichCreedy 17th December 2013, 17:23 Quote
it was your BT Home smart phone ;-) whatever one of those is, lol
Omnituens 17th December 2013, 19:06 Quote
Is it just me, or is the plot of MGS2 starting to make a little bit more sense?

Won't be long before words start to get La-li-lu-le-lo'ed
John_T 17th December 2013, 20:05 Quote
Quote:
Originally Posted by liratheal
You know what. If it's true, anyone still using those aborted foetus' of routers deserve it.

Maybe I am stupid for using the (perfectly functional) kit that I already paid for (without choice) from my ISP, but I "deserve" it? Really? At least I understood the article.

Besides, what makes you think that only ISP supplied hardware would then be affected? If this story were true, (GeorgeStorm's post aside for a moment) do you think other brands of hardware wouldn't also be affected? Perhaps you've simply chosen one with a backdoor for a different country's security agency...
John_T 17th December 2013, 20:10 Quote
Quote:
Originally Posted by Bindibadgi
At this point I'll not be surprised if my analogue watch is always listening to me tbh. Anyone else feel the same?

Yep, put me in that category. I used to file stories like this under 'tinfoil hat brigade' - the last few years have increasingly proved that the tinfoil hat wearers were actually the sensible ones and it's the rest of us that were deluded. Definitely makes you paranoid!
Corky42 17th December 2013, 20:25 Quote
I think GeorgeStorm hit the nail on the head, why would they put back doors in every modem when they can cover entire networks by tapping into one or two upstream connection.
theshadow2001 17th December 2013, 23:33 Quote
Quote:
Originally Posted by Bloodburgers
Well my watch keeps telling me things so am sure its more than capable of listening too.

Mine keeps telling me to speak up a bit.
r3loaded 18th December 2013, 12:44 Quote
Quote:
Originally Posted by Atomic
It's not the router that has the backdoor, it was the modem so you'd not be safe.
My own router would not allow remote access to my LAN from the WAN side, except for ports that were explicitly opened. It doesn't matter what the modem does, the router would prevent access.

Contrast this with BT's combined modems/routers where it was allowing access to the LAN via a VC.
IvanIvanovich 18th December 2013, 17:29 Quote
I see no reason there would be such a thing. All of the monitoring/spying equipment is installed on the backbone internet exchange points already! When you can put in equipment to do entire countries/regions to monitor all traffic in the middle at once there is no point in having a backdoor at individual end points.
Gareth Halfacree 18th December 2013, 17:38 Quote
Quote:
Originally Posted by Corky42
I think GeorgeStorm hit the nail on the head, why would they put back doors in every modem when they can cover entire networks by tapping into one or two upstream connection.
Quote:
Originally Posted by IvanIvanovich
I see no reason there would be such a thing. All of the monitoring/spying equipment is installed on the backbone internet exchange points already! When you can put in equipment to do entire countries/regions to monitor all traffic in the middle at once there is no point in having a backdoor at individual end points.
Simple: sticking something at the exchange will let you see the traffic to or from my home network, but it won't let you see my home network - nor will it allow you to see the contents of any properly encrypted VPN or tunnel, modulo brute-force decryption, a back-door or flaw in the VPN software itself, or a man-in-the-middle attack.

Pwning my router, on the other hand, gives you complete access to my entire home network - including, if you so desire, the ability to then attempt to compromise my desktops, laptops, IP cameras, servers and so forth. Very handy.

For the record, I'm not convinced by 'The Adversaries,' but I am disappointed that BT hasn't even bothered to respond to my emails on the matter.
forum_user 18th December 2013, 18:30 Quote
Therefore, the plot thickens!

The HomeHub5 I have is a VDSL modem and router in one. I guess I cannot use my old Asus D6300 due to not being VDSL, is that right?

1. I never agreed to be part of BT Wifi - which means anyone can leach my broadband using their BTInternet email and pass.

2. This story makes me wanna drop HH5 like a hot potatoe.

3. I'm having serious issues with speed at this new property anyway, and want to test using one of my older routers but can't get it up and running. Due to VDSL?
Gareth Halfacree 18th December 2013, 18:33 Quote
Quote:
Originally Posted by forum_user
The HomeHub5 I have is a VDSL modem and router in one. I guess I cannot use my old Asus D6300 due to not being VDSL, is that right?
Correct: ADSL and VDSL are both Digital Subscriber Line standards, but incompatible. ADSL2+ maxes out at, what, 20-odd Mb/s, whereas VDSL hits 76Mb/s and more without difficulty.
Quote:
Originally Posted by forum_user
1. I never agreed to be part of BT Wifi - which means anyone can leach my broadband using their BTInternet email and pass.
You can opt out of this in your BT Account page, although doing so means you can no longer get free access to others' BT WiFi hotspots. Also, technically speaking, you did agree to be part of BT WiFi - it's in the Ts&Cs nobody ever bothers to read when they sign up.
Quote:
Originally Posted by forum_user
2. This story makes me wanna drop HH5 like a hot potatoe.
The document definitely doesn't cover the Home Hub 5, as it specifically refers to a separate modem and appears to indicate that it's this modem that has been compromised. That said, given what we know from Snowden it would seem likely that any given closed-source product has at least one country's back-door in it, and possibly multiple - routers included. So, too, might your Asus router - or any other router you pick up as a replacement. Joy!
Quote:
Originally Posted by forum_user
3. I'm having serious issues with speed at this new property anyway, and want to test using one of my older routers but can't get it up and running. Due to VDSL?
Yup. As above, they're completely incompatible. If you want to ditch the HH5, you'll need a VDSL modem/router or a separate VDSL modem; an ADSL modem will do you no good here.
IvanIvanovich 18th December 2013, 22:23 Quote
If they spot traffic to/from you that causes interest, it doesn't matter what you are doing inside your own network with it, you've already been flagged. I seriously believe every known widely used encryption is already broken by NSA, etc. and they probably have the capability to decrypt it on the fly with specialized 'black box' hardware. Also at which case they can surely do any altering of traffic and data injection if they so choose from what is in place at the exchange points.
Basically, if you engage in illicit activities electronically, you are most likely screwed regardless of precautions you have taken, barring writing ALL of your own software from scratch. If you are not, well sure it's annoying to be monitored and you shouldn't say it's OK but it's not like anything will actually be done about it to change it. Not enough people are willing to wake up and take a true hard stand against the governments and companies responsible and take any action to actually force that change. Even if there were, how can we be sure it actually happened?
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums