The Adversaries’ Conspiracy Fail

I recently spent a few hours studying a somewhat interesting document posted at Cryptome.org by ‘technical engineers’ calling themselves ‘The Adversaries’. Titled ‘Full Disclosure – The Internet Dark Age‘, it contains pretty damning accusations about the NSA, GCHQ and the BT Group. At the time of writing, I also seem to be the first to comment on this in any depth.

Okay, the specific accusation is: ‘BT are directly responsible for covertly embedding secret spy equipment in millions of homes and businesses within the UK as our evidence will demonstrate. BT have directly enabled Computer Network Exploitation (CNE) of all its home and business customers.’

I believe ‘Computer Network Exploitation’ (CNE) is a reference to the act of penetrating networks and maintaining access to whatever resources are behind whatever perimeter, and the NSA, it’s widely held, does indeed have at least one department for this called the Office for Tailored Access Operations. But I digress.

As most of us understand it, Man-in-the-Middle (MITM) attacks by government entities happen somewhere on the wider Internet outside our local networks, and the NSA and GCHQ have deployed Deep Packet Inspection at major exchange points and cable landing stations – none of this is a secret to anyone with a rudimentary understanding of anti-censorship and Internet privacy.
The Adversaries claim that the NSA/GCHQ, courtesy of the BT Group, instead perform MITM attacks through some backdoor common to routers of most home and small business networks. The way this allegedly works is that our routers make a DHCP request to a second network other than our service providers’ and are consequently assigned two IP addresses – one from an address range belonging to a giant Department of Defense network with tentacles in every phone exchange.

Of course, the configuration options allowing this activity wouldn’t be visible in the admin interface of your average home router, and the ‘user friendly’ options for setting firewall rules are typically quite limited. This would mean that an obscure ‘service’ port could be open, the owner wouldn’t be aware of it, and there would be no way of telling what daemons (iptables, routing, SSH, DHCP, etc.) were being manipulated by an attacker from the outside. Remember, most non-carrier routers are Linux boxes totally exposed to the Internet.

Most of this, except maybe the DoD network thing, is within the realm of perfectly reasonable speculation, but The Adversaries have based their following statement purely on just that:
‘This clearly demonstrates that the UK Government, U.S. Government, U.S. Military and BT are co-operating together to secretly wiretap all Internet users in their own homes (with few exceptions).’

And they’re probably wrong
The Adversaries attempted to support their hypothesis (or claim) with a study of two home routers. Unfortunately both were issued by BT OpenReach, and they didn’t compare their results with a ‘control subject’ device issued by another service provider. One of the routers tested was the Huawei EchoLife HG612, which has already been hacked and dissected by another researcher who also disassembled the BTAgent software.

Among the sixteen interfaces they found were ‘ptm1‘ and ‘ptm1.301‘, which they reckoned were suspect because communication was initiated on the latter before any server on the Internet could be pinged. However, that’s kind of what we’d expect to happen anyway: I hope it’s not too patronising to say one doesn’t simply get Internet by plugging an unconfigured router into the phone line. The router must first be on a broadcast domain and authenticated with whatever ISP in order to be assigned a public IP address. As further evidence of this, a forum post about reconfiguring the OpenReach router for Sky broadband shows the ptm.301 settings being replaced with the following command to authenticate the router with Sky’s DHCP server:
dhcpc -i ptm1.101 -I ptm1.101 -c "123abcd456@skydsl|654dcba321"

It seems ‘ptm1.301‘ is also used for something called TR-069 remote management, which has been around since at least 2004. It’s sometimes referred to as ‘CPE WAN’, which is another way of saying it’s a method for ISPs to manage customer services without having to despatch engineers every time there’s a problem. Of course, it’s conceivable that GCHQ and the BT Group might use this for surveillance, but I haven’t seen evidence of that ever being done.

The Adversaries also came across the following IP address and port number:
30.150.xxx.xxx:8081

This erroneous entry is indeed within the public address range of the US Department of Defense, but it also appears to be an internal address for BT’s network/infrastructure. This is how The Adversaries (mistakenly?) thought our home routers were connecting to the DoD’s network.

Just in case…
Of course, there’s no harm in being reasonably paranoid and hardening a network’s security anyway. If The Adversaries’ claims were true, and I’m pretty certain they aren’t, what is to be done? The obvious fix is to replace the issued router with another perimeter device running an open source operating system such as OpenWRT, and probably use a Linux box as an iptables-based firewall.

8 comments on “The Adversaries’ Conspiracy Fail

  1. It would make sense to target the home router. So they’re not far off the truth. My own ISP router stunned me. It had gaming and FTP servers all active… it was mortifying. A home router should be safe. What we are being supplied is equivalent to a car, with no keys, no locks, all the windows open, the boot open. And then people act surprised when we get robbed. Schneier has made the point… our routers are being targeted – and it’s so obvious, that his message is gaining traction. :)

    • Of course. Everyone’s router is being scanned constantly while it’s online, and vendor backdoors seem to be quite common. The simplified firewall management on the average router supplied by an ISP is also a huge problem – the lack of options for setting firewall rules.
      However, it wouldn’t make sense for a government entity to make use of a common router backdoor, even though they’re quite capable of doing it. The gains would be limited, considering they have access to zero-day exploits, experise in getting malware installed on the computers themselves, and the traffic is still encrypted at the application layer while it passes through the router. The fallout from an actual discovery would also be very damaging to a company like BT, so on balance not worth the risk.

  2. Pingback: News Today Online – NewsATW – Do you trust your broadband provider not to spy on you?

  3. Pingback: News Today Online – Do you trust your broadband provider not to spy on you?

  4. Pingback: Do you trust your broadband provider not to spy on you? | Broadband-Package.co.uk

    • I don’t know with 100% certainty, which is why I’ve stated that it appears to be an internal address. The Adversaries added weight to their report with primary research, which is always a good thing, but made the huge mistake of jumping to the conclusion that our routers are connecting to the DoD network.
      Now that wouldn’t make sense – it wouldn’t be subtle or practical, as the data would still be carried over the same infrastructure as our normal Internet traffic. Plus, from GCHQ/NSA surveillance perspective, the data wouldn’t reveal anything more than what could already be intercepted at major switching/exchange points where the backdoor stuff really does happen.

      What I have done is ping some random IP blocks within the address range, and so far none show up as reachable, which could either mean the relevant ports were blocked or the address range was assigned to some DoD ‘dark net’. The range could be therefore used by anyone else for internal addresses.

      That said, I think The Adversaries are off to a good start if they’re still learning (I guess we all are). They’re doing hands-on stuff, getting the hardware, looking in the right places, etc. Best of luck to them.

  5. Being in the router gives the internal traffic and the MAC addresses which is great since it allows identification when seen on hotspots etc everywhere. Assume they use whatever exploits there are.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s