Tags
301, adversaries, backdoor, bt, disclosure, firewall, gchq, group, internet, nsa, openreach, ptm1, router
I recently spent a few hours studying a somewhat interesting document posted at Cryptome.org by ‘technical engineers’ calling themselves ‘The Adversaries’. Titled ‘Full Disclosure – The Internet Dark Age‘, it contains pretty damning accusations about the NSA, GCHQ and the BT Group. At the time of writing, I also seem to be the first to comment on this in any depth.
Okay, the specific accusation is: ‘BT are directly responsible for covertly embedding secret spy equipment in millions of homes and businesses within the UK as our evidence will demonstrate. BT have directly enabled Computer Network Exploitation (CNE) of all its home and business customers.’
I believe ‘Computer Network Exploitation’ (CNE) is a reference to the act of penetrating networks and maintaining access to whatever resources are behind whatever perimeter, and the NSA, it’s widely held, does indeed have at least one department for this called the Office for Tailored Access Operations. But I digress.
As most of us understand it, Man-in-the-Middle (MITM) attacks by government entities happen somewhere on the wider Internet outside our local networks, and the NSA and GCHQ have deployed Deep Packet Inspection at major exchange points and cable landing stations – none of this is a secret to anyone with a rudimentary understanding of anti-censorship and Internet privacy.
The Adversaries claim that the NSA/GCHQ, courtesy of the BT Group, instead perform MITM attacks through some backdoor common to routers of most home and small business networks. The way this allegedly works is that our routers make a DHCP request to a second network other than our service providers’ and are consequently assigned two IP addresses – one from an address range belonging to a giant Department of Defense network with tentacles in every phone exchange.
Of course, the configuration options allowing this activity wouldn’t be visible in the admin interface of your average home router, and the ‘user friendly’ options for setting firewall rules are typically quite limited. This would mean that an obscure ‘service’ port could be open, the owner wouldn’t be aware of it, and there would be no way of telling what daemons (iptables, routing, SSH, DHCP, etc.) were being manipulated by an attacker from the outside. Remember, most non-carrier routers are Linux boxes totally exposed to the Internet.
Most of this, except maybe the DoD network thing, is within the realm of perfectly reasonable speculation, but The Adversaries have based their following statement purely on just that:
‘This clearly demonstrates that the UK Government, U.S. Government, U.S. Military and BT are co-operating together to secretly wiretap all Internet users in their own homes (with few exceptions).’
And they’re probably wrong
The Adversaries attempted to support their hypothesis (or claim) with a study of two home routers. Unfortunately both were issued by BT OpenReach, and they didn’t compare their results with a ‘control subject’ device issued by another service provider. One of the routers tested was the Huawei EchoLife HG612, which has already been hacked and dissected by another researcher who also disassembled the BTAgent software.
Among the sixteen interfaces they found were ‘ptm1‘ and ‘ptm1.301‘, which they reckoned were suspect because communication was initiated on the latter before any server on the Internet could be pinged. However, that’s kind of what we’d expect to happen anyway: I hope it’s not too patronising to say one doesn’t simply get Internet by plugging an unconfigured router into the phone line. The router must first be on a broadcast domain and authenticated with whatever ISP in order to be assigned a public IP address. As further evidence of this, a forum post about reconfiguring the OpenReach router for Sky broadband shows the ptm.301 settings being replaced with the following command to authenticate the router with Sky’s DHCP server:
dhcpc -i ptm1.101 -I ptm1.101 -c "123abcd456@skydsl|654dcba321"
It seems ‘ptm1.301‘ is also used for something called TR-069 remote management, which has been around since at least 2004. It’s sometimes referred to as ‘CPE WAN’, which is another way of saying it’s a method for ISPs to manage customer services without having to despatch engineers every time there’s a problem. Of course, it’s conceivable that GCHQ and the BT Group might use this for surveillance, but I haven’t seen evidence of that ever being done.
The Adversaries also came across the following IP address and port number:
30.150.xxx.xxx:8081
This erroneous entry is indeed within the public address range of the US Department of Defense, but it also appears to be an internal address for BT’s network/infrastructure. This is how The Adversaries (mistakenly?) thought our home routers were connecting to the DoD’s network.
Just in case…
Of course, there’s no harm in being reasonably paranoid and hardening a network’s security anyway. If The Adversaries’ claims were true, and I’m pretty certain they aren’t, what is to be done? The obvious fix is to replace the issued router with another perimeter device running an open source operating system such as OpenWRT, and probably use a Linux box as an iptables-based firewall.