, , , , , , , , , , , ,

If Richard Clarke and a few others are to be believed, the Chinese government has practically owned our telecommunications network, and possibly industrial systems, by backdooring our networking equipment. Unlike many other cyber scare stories that become the subject of derision among infosec people, there’s actually a large grain of truth to all this which I only found out quite recently – backdoors are not only very common in commercial routers, but it’s widely speculated (maybe wrongly) that the PRC is behind most ‘Advanced Persistent Threats’. APTs, if they’re anywhere as advanced as we’re led to believe, have the skills required to gain remote access to gateway routers by exploiting the backdoors. I’ll explain roughly how it could be done later.

This is also loosely related to the idea that commercial hardware manufactured in the PRC includes something known as a ‘Manchurian Chip’ – basically a hardware-based back door. Here’s the basic hypothesis, according to Scott Terban at Krypt3ia:
‘All computers on the market today — be they Dell, Toshiba, Sony, Apple or especially IBM — are assembled with components manufactured inside the PRC. Each component produced by the Chinese, according to a reliable source within the intelligence community, is secretly equipped with a hidden microchip that can be activated any time by China’s military intelligence services, the PLA.’

DARPA began the Trust in Integrated Circuits programme back in 2007/2008 to investigate this, awarding contracts to specialists with the resources to conduct the analysis. The findings are classified, but they apparently ‘sent shockwaves through the counterintelligence community’, according to The Investigator. From our perspective it means they commissioned some research and haven’t produced evidence to support the Manchurian Chip theory. It’s an unproven worst-case scenario that isn’t much use to us because it’s unverifiable, but we do know they poured around $50 million into investigating the possibility.

Cisco Connect Cloud
I started looking into this after a discussion about Cisco’s Connect Cloud on on of those tin foil hat forums the other week. Reports say that an automatic firmware upgrade has stopped people logging into their routers locally, and they now have to administrate their networks through Cisco’s new Connect Cloud service. It is possible to access them locally if they are disconnected from the Internet, but with many options unavailable, as if Cisco is forcing its customers to use the online service. Was it a mistake, an attempt by Cisco to micro-manage their customers’ networks, an effort to coerce them into some legal agreement, or something indeed more sinister? Were components of this in place long before the web service was developed?

Basically what Cisco has done is install a Remote Access Tool, created a user-friendly web interface for the proxy server, added the word ‘cloud’, and attached a Terms of Service that allows the company to gather whatever it wants about the devices and traffic on the network (it’s there in black and white).
Essentially it’s a Linux rootkit, except here the customers are provided access to the C&C server. Except accessing the web interface for the C&C server might also be a problem. I found the login/registration page isn’t compatible with fairly recent (2011) versions of Firefox or Opera browsers, which contradicts the marketing stuff that claims Cloud Connect enables customers to access their routers from anywhere with an Internet connection.

Does this mean Cisco itself can access peoples’ routers whenever they wanted? Technically, yes they can, and so could anyone else who manages to hack into the system. This should be a cause for real concern because these devices are the central component of networks, and if the router is broken into, the whole network behind it is owned. The majority of SlashDot and Reddit commenters were aware of this risk, and that online accounts can and do get hacked. Of course, the ones who bought the latest routers and disabled remote management for this very reason were mightily pissed.

Backdoors are Actually Common
On further digging, I learned the Connect Cloud affair wasn’t a one-off, and that hidden remote access methods, often euphemistically referred to as ‘undocumented features’, are actually quite common.
In 2007 a hacker discovered the presence of several remote access Telnet accounts on his router belonging to his ISP. Another report from 2009 says that Verizon backdoored their customers’ routers, and they were available even when the remote management option was disabled.
In April this year, another report surface of a backdoor in the RuggedCom operating system, and this particular case got much attention because the Rugged OS is installed on routers designed for industrial systems, and a criminal hacker discovering how the passwords were generated (based on the MAC address) could have gained administrator access. What’s more worrying is it was 8-9 months between discovery and disclosure, and roughly a year until RuggedCom, after being acquired by Siemens, announced it would fix the problem.
There are countless other reports just like these on the Internet, enough to build a vulnerability database.

How to Discover or Exploit a Router-Based Backdoor
The problem is an average IT dpartment wouldn’t know about this flaw unless it’s testing the networking equipment before installation, or doing the research beforehand. Someone on Reddit asked whether there’s a way to detect a backdoor on a router. There are indeed a couple of methods, both of which involve adding it as a host on an existing LAN.

A router is usually an embedded Linux computer, as I’ve pointed out here before, and like any Linux computer it’s possible to install a Remote Access Tool on it, or to enable Telnet access. So there are two ways a third-party can access the device remotely.
If a Remote Access Tool is present, as is the case with Connect Cloud, the router will try to establish a connection with a server when the device is booted up. This can be detected using a traffic analyser like WireShark.
ISPs generally don’t require Remote Access Tools, since they already know the IP addresses of all the routers connected to it, and could simply attempt a Telnet login for any of those addresses. The owner could try doing the same after putting the device behind another gateway.

Both introduce a major vulnerability into the system, and as I’ve mentioned, there is a way to exploit this:
* Pick an IP address
* Determine the ISP for that address
* Determine which router model the ISP supplies to its customers, and attempt login to known remote access accounts for that device.

I can imagine something like Metasploit being developed for this, or perhaps a shell script that automates the task of matching router exploits to ISPs and IP addresses.

One of the commenters at Schneier.com suggested replacing the gateway router with a Linux box with a MAC changer. That way, the person outside the network should find it harder to detect what hardware is being used, and therefore won’t know whether a backdoor is present or how to access it. The MAC address might indicate which model router is present, and this might be why certain ISPs require the presence of a gateway device on home networks with the same MAC address as the router it supplied. This kind of answered my question about why a MAC spoofing feature is sometimes needed.