Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Hidden NSA/GCHQ VLAN in British Telecom Customer Routers (cryptome.org)
7 points by vxxzy on Dec 5, 2013 | hide | past | favorite | 4 comments


Can anybody independently verify this?

Is it possible it's just the authors' referenced "Unlocked Firmware Image for Huawei HG612" which is backdoored?


The methods they describe to "confirm" the backdoor are simply silly. The ping results observed are not indicative of anything in particular, and the 30.150.x.x network that they're observing connections to isn't even routed. (BT is probably using 30/8 as a semi-private network space.)


I also have my concerns with this.

Even if BT or GCHQ/NSA were altering routing tables, it doesn't really change the threat model of "assume Internet connections will be MITM'd". It does concern me that it appears inbound connections to LAN devices are unrestricted from this hidden VLAN, potentially allowing the ISP or its agents direct access inside most peoples' primary network security perimeter. But I suppose this is really no more dangerous than the remote firmware "upgrade" facility found in this and many other consumer network devices. Best practice is certainly to run your own, separate, firewall and wireless AP built as much as possible on trusted FLOSS.

In any case, despite claims that, "At this point the attacker has complete control of the modem and your LAN, extra firewall rules are added the moment the ptm1.301 VLAN device is enabled by the dhcpc command", they annoyingly did not list those firewall rules.

I also do not think their claims of Tor subversion hold water. From what I understand of Tor, directory information (including nodes' key fingerprints) is ultimately verified by the hard-coded keys of very few "trusted" operators of authoritative directory servers. So long as the Tor software isn't compromised, no MITM, regardless of where it's effected, will be able to subvert the user's circuit construction (of course, barring bugs in Tor and exploits higher up in the software stack). At least, that's my understanding.


> Even if BT or GCHQ/NSA were altering routing tables...

Actually, speaking of that...

If BT, GCHQ, and/or the NSA needed to subvert traffic, they'd do it in BT's core routers, in a central location outside customers' view. There's no reason they'd do anything so complex, failure-prone, and, most importantly, visible as diverting traffic on customer hardware.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: