A paper released earlier this month by a group of security researchers has outlined the technical details behind a potential Computer Network Exploitation (CNE) program likely used by the UK's Government Communications Headquarters (GCHQ) and their American counterpart, the NSA.
Moreover, the researcher's say that one of the largest telecom providers in the world, BT Group (formerly British Telecom), ships hardware to the home and office with firmware that enables this secretive surveillance on a massive scale.
In a paper titled The Internet Dark Age the researchers say that BT is shipping hardware with backdoors that allow secret government access in order to make network compromise easier. "BT are directly responsible for covertly embedding secret spy equipment in millions of homes and businesses within the U.K.," the paper states.
The authors of the paper, (who stated that while they wish to remain anonymous, are ready to appear in court and present their findings) claim to have discovered a key piece to the global surveillance puzzle, addressing several questions that have gone unanswered since documents leaked by former NSA analyst Edward Snowden started appearing this summer. The researchers said that they made their discovery in June, but held the report for an additional six months in order to do additional research and study.
The most critical question in the wake of the Snowden leaks centers on the technical details of how the NSA and GCHQ perform CNE operations on residential and Small Office and Home Office (SOHO) networks, as well as global enterprise.
Weeks prior to the release of The Internet Dark Age it emerged that the NSA and the GCHQ had infected more than 50,000 networks globally as part of their CNE efforts. But the reports on such actions never explained how this was accomplished. Prior reports on the existence of agency hackers and network penetration specialists also left the details of their actions to speculation. The public knows they exist, but not how they operate.
The information in the anonymously published paper doesn't come from access to classified information. Instead, the details come from forensic analysis of private SOHO networks located in the U.K., which the researchers say was conducted "legally, and on private property using privately owned equipment."
While the focus centers mainly on the U.K. and the GCHQ, the paper's authors believe that the activity itself isn't limited to the U.K. at all. Given the information that has been leaked publically about government CNE operations, and partnerships between the NSA and GCHQ, there is little reason to doubt that the knowledge of paper's outlined exploitation techniques isn't shared between the two agencies.
In September, as part of an article written for the Guardian after reading several documents leaked by Snowden, BT's Bruce Schneier, commented that "The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities
"This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability."
In their opening summation, the authors of The Internet Dark Age reference Schneier's comments and say that their research serves as "verifiable proof that Bruce Schneier's statements are indeed correct."
According to the paper, a secondary hidden network and IP address is assigned to a BT user's modem, which enables the attacker (in this case the NSA or GCHQ) direct access to their modem, and the systems on their LAN from the Internet.
The researchers tested BT Open Reach modems Huawei EchoLife HG612 and ECI B-FOCuS VDSL2. In a side note, they point out that BT developed the firmware, so claims of Huawei being responsible for the backdoors are false.
In addition, the researchers used unmodified firmware to conduct their tests, but note that their results can be duplicated using modified firmware as well, as those versions exist with the same backdoors, because they're based on official BT release GNU source code.
Once the connection is made, the secondary network cannot be detected at a glance, as it isn't visible via the modem's web interface, and isnt subject to firewall rules or other limitations, as far as the switch portion of the modem is concerned. Even before the PPPOE request is issued, and an IP assigned by the ISP, the secondary network is fully operational, even if the modem is believed to be offline.
The authors discovered that the secondary network in question (CDIR: 18.104.22.168/8) uses a block of IPs maintained by the U.S. Department of Defense (USDOD), and that traffic on this network is hidden due to the usage of a VLAN. Although the IP addresses are owned by the USDOD, the paper adds, a ping time to the gateway is less than 8ms from within the U.K.
"This spy network is hidden from the LAN/switch using firewall rules and traffic is hidden using VLANs in the case of BT et al, it uses VLAN 301, but other vendor's modems may well use different VLANs," the paper explains.
Inside the modem itself, other tools and services (routing daemons, SSH, iptables, etc.) are enabled that grant the operators of the secondary network total control over modem and routing functionality. Thus, the modem acts as a server, listening to for connections on several ports, including ports 22 and 23. This gives the operators on the other network remote access to the modem and LAN, while denying the same access to the owner.
This is possible because of a hidden bridged interface exists with its own VLAN that isn't subject to the modem's firewall rules. Scanning the modem's public IP from the outside will show port 161 open (BTAgent), but nothing else for the most part. However, from the secondary network, all necessary ports are said to be open, including an SSH daemon running with basic authentication (admin/admin).
The access and control granted via this secondary network, the paper's author assert, enables its operators to steal private keys (VPN/SSH/SSL/PGP), install malware or other monitoring software such as keyloggers, copy or remove content, perform passive traffic monitoring, and perform traffic routing, including controlling traffic based on protocol or port. Furthermore, the paper outlines other granular attacks on VoIP, mobile devices (as long as the device is connected to the customer's wireless network). The authors also warn of Tor User/Content discovery via LAN packet fingerprinting.