HALLUXWATER: NSA Exploit of the Day

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog:

HALLUXWATER

(TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, the PBD installer software will find the needed patch points and install the back door in the inbound packet processing routine.

Once installed, HALLUXWATER communicates with an NSA operator via the TURBOPANDA Insertion Tool (PIT), giving the operator covert access to read and write memory, execute an address, or execute a packet.

HALLUXWATER provides a persistence capability on the Eudemon 200, 500, and 1000 series firewalls. The HALLUXWATER back door survives OS upgrades and automatic bootROM upgrades.

Status: (U//FOUO) On the shelf, and has been deployed.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

This one is a big deal politically. For years we have been telling the Chinese not to install hardware back doors into Hauwei switches. Meanwhile, we have been doing exactly that. I wouldn't want to have been the State Department employee to receive that phone call.

Posted on January 8, 2014 at 1:48 PM • 52 Comments

Comments

AstroJanuary 8, 2014 2:12 PM

Everyday, this catalog drives the point in deeper that everything is compromised, all secrets are known or in line to be known, government, corporations, are minions and the matrix mainframe is set and vaccuming everything in. Abandon the existing matr

AJanuary 8, 2014 2:26 PM

Didn't a load of Huawei kit have accidental back doors due to default passwords. Might not have been hard to do the initial install ;)

TJanuary 8, 2014 2:49 PM

Ironically, they probably chose PIT rather than the first-letter abbreviation in order to be "politically correct" and not offend anyone.

PetterJanuary 8, 2014 3:43 PM

I see a feature option for an old school manual write protection switch and external off line firmware update procedures.

We need to secure the algorithms.
We need to throw out NSA from every peer review or other working group that handles digital security and coms.
We need to take back what they have fiddled with and destroyed under all these years.
We need to make sure we do use DNSSEC globally for everything.
We have to double, triple or quadruple the key lengths. Heck - go 10x while we are at it. I can handle some lag if I know its secure.

After that we need to protect our systems one by one.

dmixJanuary 8, 2014 3:50 PM

What percentage of internet traffic is stuff siphoned by the NSA? Probably competing with Bittorrent.

Are they investing in the infrastructure they are stealing from?

SalJanuary 8, 2014 4:10 PM

If they say Hauwei has copied everything Cisco then does it mean Cisco devices have similar backdoors?

Bruce SchneierJanuary 8, 2014 4:20 PM

"Everyday, this catalog drives the point in deeper that everything is compromised, all secrets are known or in line to be known, government, corporations, are minions and the matrix mainframe is set and vaccuming everything in."

I disagree. The catalog shows the exact opposite. The catalog shows how much is so secure that the NSA has to resort to these targeted attacks to get at what they want. If everything were compromised, the NSA wouldn't need a TAO.

TimJanuary 8, 2014 4:40 PM

@Petter "We need to throw out NSA from every peer review or other working group that handles digital security and coms."

As a general principle, we need to support standards organizations that are open to anyone and which produce voluntary standards.

For example, support the IETF, but avoid organizations that may actually be dominated by government or industry, such as ANSI or ISO.

Lurker #753January 8, 2014 5:10 PM

@Bruce, but of *course* the NSA needs a TAO! Because they can. It's another card in the pissing/budget contest with FBI/CIA/etc. ("look how we're helping the DEA!"). It's good for morale - saying yes instead of no to ambitious subordinates (and everybody nearby gets reflected glory). Hell, it's a Plan-B in case the whole Total Info Awareness thing blows up (oh look!).

The TAO seems pretty much like the armoured cars being gifted to sleepy small-town police departments. Need? Who cares? Of course, they'll only be used for dire (yeeehAW! oh yeah!) emergencies.

[lurkmode re-engaged]

DavidJanuary 8, 2014 5:13 PM

@Petter,

I see a feature option for an old school manual write protection switch and external off line firmware update procedures.

I can't help but picture a firewall the shape of a giant floppy disk with a big paper label and a sliding block in the upper corner.

As for the write protect--not a bad idea, if people would put up with having to go to each appliance (or send a minion) while they do the upgrade or change the config.

If you're in the same building, that's one thing. But I've been part of networks where the box in the adjoining room is not "mine", and was administered from 8,000 miles away; sending a minion can get expensive in those cases.

(And this doesn't address how you keep someone from walking in while the minion is heading back to the airport and compromising your remote switch/router/firewall in the same manner...)

Those are probably the choices the people will have to make, according to their perceived risk and level of paranoia: Convenience that makes it easy to exploit vs. hardened that makes it difficult to administer/upgrade.

AnuraJanuary 8, 2014 5:46 PM

My problem is not that they have these tools, my problem is that we don't know who they are being deployed against. Amazon? Rackspace? ISPs? What makes someone a target for TAO? High volume of traffic, or actual evidence of a national security threat?

DavidJanuary 8, 2014 6:18 PM

@Anura,

Not to be Hollywood-plot, but here's a scenario that comes to mind:

[Alphabet soup agency] learns that the local embassy for Centralia is looking to upgrade their screens; seems that everyone is tired of the 21" LCDs after watching a re-run of Swordfish, and they want bigger monitors.

They take a look at the catalog, see that they can get 10 "RAGEMASTER" implants for $300 bucks, and then they sneak into the Fedex warehouse partway through the shipment (or hitch a ride on the plane, or buy the trucker a dinner while he looks the other way), and they replace the monitor cables.

$300 and maybe a quick replacement job and they now have the capability to watch what is on the computer monitors of Centralia's embassy at any time they choose.

Maybe Centralia is a friend, and we just want to keep it that way. Maybe, friendly or not, they are talking to some less-friendly folks, and we'd like to see what's going on. Or maybe, as a matter of course, $300 bucks is a cheap investment against an unknown future.

The tech is cheap and surprisingly simple, the targets are common, and, in the end, it's easy to switch from [not-so-]friendly country to [multinational corporation]. Knowing that you could do this, how could you not, especially if you believe that all is fair in love and war?

Once you start believing that more is better, and there will be no blowback--heck, you'll probably get promoted--then the target list keeps expanding, and the justifications get more...perfunctory.

joshJanuary 8, 2014 6:21 PM

@Petter - uh huh. Given that TAO also uses "interdiction" (intercepting gear in transit) and "black bag jobs" (breaking and entering) just what have you achieved? Nothing. Physical access means total access. Period. At least this is a one off, usually, which is hard to do for every device out there.

Robert TJanuary 8, 2014 6:27 PM

I think the backdooring of Hauwei equipment raises an interesting issue, which is the lack of any real choices within the electronic component market.

Everyone accepts that Intel (had/has) a virtual monopoly on the CPU socket but very few people appreciate just how strong a market position Realtek has over PC audio, or Broadcom for 1000baseT/WiFi.

There are very few choices of commercial silicon for makers of enterprise grade bridges/routers/firewalls. In general, in the semiconductor market, each discrete component has less than FIVE possible vendors, where by the top two vendors typically control over 80% of the market for this component.

This means that the NSA's job is made somewhat easier IF it understands the semiconductor component space AND targets it's exploits at capabilities hidden deep within these components. I suspect this Halluxwater is just such an exploit. Persistence is maintained because the exploit probably exists inside some non-volatile memory intended only for use by the component. Most chip vendors will never tell a PC maker how they implement a given function (which parts are software/firmware which parts are dedicated hardware, the PC maker will be lucky if he even knows the type of microcontroller embedded within the component. As a consequence the protection/security of this embedded component Flash is often just an afterthought, it is trivial to access IF you happen to know the secret handshake. Furthermore once inside the component, there are no routine updates, no virus checkers, no checksums basically there is no way to be discovered, yet this component has trusted access to the system RAM, matter of fact it must have trusted access just to operate. How perfect is that for an exploit, its OS independent and persistent.

I'm certain the TAO has made it it's business to learn these trade secrets and this knowledge results in Threat persistence. It's just a year ago that most security professionals would have considered China as the main APT vector, we now know that the real APT enemy is operating from within the US boarders.

ostrichherderJanuary 8, 2014 6:29 PM

Sure, maybe these exploits were only used on a very limited basis. With full warrants and court approvals. Because we know how careful the NSA has been.

sigh. We'll see when more documents are released.

What I wonder is why the NSA didn't protect us from these exploits rather than promoting them. Does it really serve us to have all the best minds hacking? Shouldn't they be securing? Isn't that the basis of security?

SteveJanuary 8, 2014 6:30 PM

"For years we have been telling the Chinese not to install hardware back doors into Hauwei switches."

And I'm sure they listened.

Nothing can be trusted. Ever.

So what else is new?

Tony H.January 8, 2014 6:41 PM

@Anura: My problem is not that they have these tools, my problem is that we don't know who they are being deployed against. Amazon? Rackspace? ISPs? What makes someone a target for TAO? High volume of traffic, or actual evidence of a national security threat?

I'm a little surprised not to have seen a single report of one of these things found in the wild. Did NSA and their pals run around post Snowden and quickly remove every last one of them, or hit the global kill switch? Somehow I doubt it. This suggests that they and their doubtless much better successors are directed only at targets of real interest, and of a sort that's either not going to report anything and/or is not competent to find anything even knowing what we all do now. Which makes sense for many of the technologies described; no one has the time to actually read flickering screen images or listen to room audio on a large scale, and that's probably the sort of low quality stuff that can't be automated (yet). As for the router stuff, I'd expect ISPs to get caught up by the mass backbone vacuuming; why target them directly?

Secret PoliceJanuary 8, 2014 6:50 PM

There was this HITB talk back in 2012 detailing the architecture of Huawei's proprietary 'VRP' operating system http://m.youtube.com/watch?v=KUC_FduwWxU.

Why reinvent the wheel when they could have just used OpenBSD, then built a cryptographically secure configuration app for it. Even better provide OpenBSD full hardware docs and fund them to port your firewall at 1/4 the cost to maintain your own OS. Use decades of proven security development don't make your own feeble OS just for marketing purposes.

These routers and firewalls are still used worldwide at telecoms and ISPs. Since anybody can watch that HITB talk and reverse engineer the BIOS and OS not at all surprised NSA can do this. Give me 100,000 engineers and billions in research money can make an exploit factory with the shoddy proprietary systems out there.

AnuraJanuary 8, 2014 7:05 PM

@Tony H

Simple. "By examining this device, you agree to the NSA terms of service."

SoWhyIsThisHappening?January 8, 2014 8:22 PM

Bitcoin anyone?

The debate continues...

http://news.slashdot.org/story/14/01/08/222253/a-rebuttal-to-charles-stross-about-bitcoin

I am of the opinion that it is advantageous to the NSA to have Bitcoin succeed and be vulnerable. After all, NSA owns TOR (the deep web) and can do what it wants in that venue. As such, when many are dependendent on Bitcoin, they can destabilize that arena at any time, electronically or via drones (physically) and bring a large segment to their knees. Or, at least, they probably think along those lines.

By the way, the cell phone (personal tracking device) and the Internet in general, fall into the same venue: NSA can destabilize these at any time. And of course, they will start with "targeted" destabilization, thus TAO.

A-TeamJanuary 8, 2014 8:37 PM

HalluxWater ... high marks here for tradecraft: at face value, the code name has no connection whatsoever to the item under discussion (hallux is medical latin for big toe, hallux hot and cold water basins are the podiatry treatment for hallux rigidus). And who could begrudge them an H for Huawei mnemonics?

HalluxWater is yet another tool stressing persistence (over exfiltration swiss army knife). Someone here asked a session or two ago why persistence was a big deal for NSA 'given they sit astride the internet backbone and presumably can win the man on the side race repeatedly if there is a need to re-install due to non-persistence.'

There's a six-part explanation to that [tl;dr: persistence = tradecraft], as shown in other documents released by Der Spiegel in late December. In fact, despite moving decision logic out physically closer to the event, NSA still has quite a bit of response latency (causing them to often lose the race):

 -- SAS     Site Access System front end and Layer 0/1
-- Stage0 TUMULT: demux and Layer2
10 Sensor TUMULT: Layer3 plus Passive Sensor/Event Detection
120 ITx IslandTransport: Enterprise Message Service
20 C&C TURBINE Command/Control/Decision Logic
20 Diode SurplusHanger: high-to-low diode
70 CovNet TAO Covert Network (MiddleMan)
75 Inject TAO injection implant
-- Target Destination for CND/CND/CNA
685 milliseconds total latency

Don't confuse a SIGAD sitting on an AT&T fiber optic cable in Des Moines targeting a sleepy math professor at ISU Ames with a foreign-operated SIGAD sitting on a Euro-Asian owned underseas cable landing in Cyprus trying to implant on an OPSEC-conscious entity in Syria or Israel. It's harder to do anything about the latency for the latter.

Third, after NSA has chained out the target in Marina to Equivalent IDs, the analyst can be left with a fairly meagre set of regularly visited external urls vs-a-vis vulnerabilities available in their database.

Imagine the target visiting the MOTS-able site once a week and 2 shots out of 3 not resulting in a hook. If the implant isn't persisting very well, the target has gone dark much of the time. A lot of mischief can be planned and executed during those gaps in real-time coverage.

The two case studies shown in the hacking tutorial provide concrete examples of the non-impotence of FoxAcid attacks. They spent 3 weeks time on the facebook selector, getting nowhere. Hacking the Mozilla/5.0 iPad iOS 5.01 with the yahoo selector went nowhere from 29 Jan 13 on but eventually gave a successful implant 22 days later, 19 Feb 2013.

Next, think about workload -- NSA is running some 68,000 implants, thousands more on their wish list. If the persistence has too short a half-life, too many resources are allocated to re-establishing. Not to mention frustration for the poor analyst tasked with getting a report out the door in a relevant time frame.

Fifth, TAO isn't in the business of freelancing implants. There's always a customer out there for the implant data -- and a customer contract spelled out in one of the 2,000 x 20 page 'demands' NSA faces today. Ask yourself, why was TAO doing industrial espionage cookie-replays at Brazil's MME? Because they had a customer bidding on pre-salt oil leases.

Finally, asset protection. Good hacks are precious, they take a lot of development. If a hack becomes exposed, scans and defenses quickly become available, so they've lost their investment. The less often they mess with target computers, the less often they are exposed.

In short, it makes sense for NSA to put a lot of effort into persistence. And they sure do there at TAO -- 18 tools mention persistence right out of the gate.

COTTONMOUTH I-III, DEITYBOUNCE, FEEDTROUGH , GINSU, GODSURGE, GOURMETTROUGH, HALLUXWATER, HEADWATER, IRATEMONK, IRONCHEF, JETPLOW, SCHOOLMONTANA, SIERRAMONTANA, SOUFFLETROUGH, STUCCOMONTANA, SWAP

Clive RobinsonJanuary 8, 2014 9:49 PM

@ Bruce,

    I disagree. The catalog shows the exact opposite. The catalog shows how much is so secure that the NSA has to resort to these targeted attacks to get at what they want

Sorry to be picky but the catalog does not "show the exact opposite", it confirms Astro' main argument of,

    Everyday, this catalog drives the point in deeper that everything is compromised all secrets are known or in line to be known

The catalog is a list of --presumed working-- exploits TAO have developed. Thus although the exploits may currently be limited due to other resource limitations they are in deed to compromise that which has not currently been automated.

The important point is "known or in line to be known".

That is many if not the majority of these compromises / exploits can be "automated" in some manner.

For instance bugged cables are relativly cheap, and will get cheaper per item the more you produce. The DHS in effect controls "US Customs" and in all likely hood has significant control on the FCC. It would only take a minor change in "import requirments" to make it not cost effective for Far Eastern manufactures to supply cables, and for screen distributers to source "type approved" cables from the US (which just happen to contain the bug). Within 18-36months something over 80% of screens and cables would be replaced anyway depending on Tax right off period and home users upgrading. Just to chivy the rest along you make the use of "non type approved" cables illegal and either run an "exchange program" or put a big fat fine on those caught not using the new "type approved" cables.

This sort of thing goes on all the time as "Home Market Trade Protection" and has done for longer than any of this blog readers life time. The classic example used to be "Telecoms Safety" where a country picked a different dial rate or line levels or protection circuit. In Germany for instance if you submitted a new phone design for approval unless it incorporated a certain well known major German semiconductor manufactures chip(s) it would be tested untill it failed (and it would do). However with the chip(s) in those "exacting tests" were "assumed" to have been passed. I know full well that the UK Gov in cahoots with initialy BT and then BABT used to do simillar, but due to certain circumstances those operating out of "The Little Shop of Horrors" that was BABT's offices just outside of SW London decided to follow more profitable ways of doing business (that's why three of their manufacturing site examiners resigned almost simultaniously after somebody let the cat out of the bag). However the all time bare faced cheek probably goes to Japan with the requirment that all pushbikes had to be type tested by "A Japanse Olympic cycling Gold Medal Winner" (which at the time there was not one...).

It's one of the reasons you will see occasional refrences to the Trans Pacific (TPP) trade talks that started a little while ago, basicaly the US has rigged it and there will be no fair outcome, for the non US countries manufactures and why US performing arts rights holders will now be able to sue those Governments directly in the US every time they feel they need their profits boosted... (the joys of "lobying" and "palm greasing" in action).

That said I can see why you might disagre with,

    ... mainframe is set and vaccuming everything in

Whilst compleate "vaccuming" is not "currently" happening to the work involved with stopping it becoming so is immense, and would require in effect this dismembering of certain large Software and Hardware suppliers and their technologies, who are now well well beyond the point where people can credibly trust them. And personaly I can't see that being alowed to happen in my lifetime unless they become bankrupted by class actions or dearth of customers. Once upon a time we joked about WinDoze being "malware", unfortunatly it's nolonger a witty or amusing joke.

Clive RobinsonJanuary 8, 2014 10:02 PM

As for "detecting" this form of malware, theoreticaly it's fairly simple, providing you have not yet been infected or if you have it's in active use.

Basically you "double up" on your firewalls so you have,

Internet -- FW1--DMZ--FW2--intrenet.

And in the DMZ you look for "rouge traffic" with a non enumeratable instrumentation system.

In practice as any Honeynet operator will tell you this is a difficult task at best. Further it also assumes that the TAO have not developed a whole series of instrumentation system attacks that they run on the assumption you are using instrumentation to look for their traffic.

Robert TJanuary 8, 2014 10:15 PM

For me the biggest danger is not the NSA rather it is every other tinpot regime realizing that these sorts of exploits exist and can be used against their enemies (internal and external), basically the NSA has opened Pandora's box so the secret is out.

I have no idea what is happening within the third world governments but I'm guessing that they're slowly realizing just how F'ed up their national information security really is. Seems to me this must end in some sort of trading pact related security system. Kinda like existed with the USSR/USA (eastern block countries using USSR equipment while Western Block used USA (five eyes) equipment. The two camps are clearly USA and China which raises interesting questions about which camp Australia is really in, their new broadband network is clearly Western yet their economy is little more than an Asian satellite, with over 90% of Australia's exports being to Asia.

Fun time ahead for the security sector!

FigureitoutJanuary 8, 2014 11:05 PM

I wouldn't want to have been the State Department employee to receive that phone call.
Bruce
--Do diplomats all over the world even trust each other in the first place? I consider it all just theater and they're probably scheming...

Man, our world is so messed up now. What the hell?!

WinterJanuary 9, 2014 2:11 AM

"Physical access means total access. Period. At least this is a one off, usually, which is hard to do for every device out there."

True. So does this not lead to the conclusion that to increase the cost of TAO:

1 Security should be local with off-site as a "backup"

2 All devices should be build from multi-source well specified modular components that can be obtained anonymously and tested in-house

PetterJanuary 9, 2014 2:36 AM

@Tim

Yes, open standardization driven with a minimum of corporational and governmental control.


@David & Josh

Convenience vs security is a tricky one.
Electronic TAO is far more effective for NSA then getting physical access to already installed systems. And it's also easier for a system owner or hoster to monitor and control a physical domain then an electronic one.

We can not stop them if they 'really' want in, but we can make it so demanding they stop doing it by automation and in what looks to be on a industrial scale.

Tomás CastroJanuary 9, 2014 2:57 AM

Is it possible today to purchase a mobo without built in components like NIC, sound card, graphics card, dial-up modem and so on?

Bruce ClementJanuary 9, 2014 4:25 AM

@Secret Police "Why reinvent the wheel when they could have just used OpenBSD"

I can think of a number of reasons. Most important for this discussion, OpenBSD can be, but is not necessarily, more secure than a home grown solution (CVE Stats):

Why so many more reported vulnerabiities for OpenBSD? Being open source vulnerabilities are more likely to be found and reported; as a general purpose operating system it has a lot of size and complexity that would not be needed in a special purpose operating system.

It does do a lot better than Cisco IOS on this one metric though.

For comparison, FreeBSD scored 260 reports and Debian (A Linux & Gnu general purpose operating system) 266.

I'm more interested in why Huawei is so low as I'm very suspicious of that low number. Perhaps they really are that good, perhaps it shows a bias towards studying US originated products, possibly because CVE is maintained by Mitre corporation under contract to the US government's Homeland Security (https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures).

wiredogJanuary 9, 2014 5:22 AM

The interesting part, to me, is this:
Status: (U//FOUO) On the shelf, and has been deployed.
It's an "unclassified, for official use only", tool. In other words, it probably exploits a publicly known vulnerability. May even be a publicly available tool. U//FOUO is the level of classification of the office phone directory.

@wiredogJanuary 9, 2014 5:33 AM

@wiredog
Only the phrase "On the shelf, and has been deployed." is U//FOUO.

The rest of the document is TS//SI//REL.

TroutwaxerJanuary 9, 2014 9:57 AM

@Anura: "What makes someone a target for TAO? High volume of traffic, or actual evidence of a national security threat?"

Anyone they might want to blackmail? In fact, I'm imagining blackmail as the default method of governance in the future!

fishing line tied around a big toeJanuary 9, 2014 10:40 AM

About the name:
- The water part refers to the fire in firewall, you'll see this for the same reason in some of the other names mentioned.
- Hallux is about dipping your toe in the water.

It should become obvious the names are not random and often employ quite a bit of dry black humor. Don't disregard context and associations.

People already said this but I'm spelling it out loud (Huawei is just an example):
At a sufficiently low level fixing one "bug" is the same as discontinuing (supplier) product lines (and they might not be replaced by anything).

fishing line tied around a big toeJanuary 9, 2014 10:58 AM

By the way I think/speculate they make Halluxwater persistent by faking an "internal" hardware downgrade resulting in some slightly schizophrenic hardware ordinarily (depending on how it's asked) thinking it has less physical memory than it was made with.

Seems like an easy way to do it. Is there anything with a chip made during the last decade that wouldn't fall for this?

"Undermodding" and good "bad" blocks for fun and profit?

Persistence... And then somewhere down the line the the chips/memory are recycled into other products carrying the good "bad" blocks with them... LOL :D

Mike AmlingJanuary 9, 2014 11:48 AM

@Clive Robinson "And in the DMZ you look for 'rogue traffic' with a non enumeratable instrumentation system."

Forgive my ignorance, but what does "non enumeratable" denote in this context?


Also, did I miss it or has there been no leak of anything about tapping submarine cables overseas? There was a rash of cable breaks a couple years ago that seemed at the time to be more than coincidence. I'm thinking that someone breaks the cable in one place, then splices in a tap somewhere else while the owners are repairing the break. The tap would need to draw its power from the cable's power supply for the (legitimate) repeaters. I can hardly believe the tap would be able to communicate on any channel other than the cable itself, and if so, it could be detected by finding the data received at one end does not match the data sent from the other end.

Nick PJanuary 9, 2014 12:20 PM

@ Mike Amling

"Forgive my ignorance, but what does "non enumeratable" denote in this context?"

Quick guess is that he's talking about a box that listens to the network but never responds. There's software configurations for this like having your firewall relay all incoming traffic to the IDS, but disallow any traffic *from* the IDS. The high assurance solution is a network tap with data diode (one way cable). This solution physically blocks anything outgoing from IDS. So, in practice, the attacker gets in, starts profiling the network (enumeration), and [if it's a tap setup] never sees the IDS box at all.

@ Bruce Clement

"I'm more interested in why Huawei is so low as I'm very suspicious of that low number. Perhaps they really are that good, perhaps it shows a bias towards studying US originated products, possibly because CVE is maintained by Mitre corporation under contract to the US government's Homeland Security (https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)"

I have a simple hypothesis for the low count of Huwei:

The kind of people digging for vulnerabilities in Huwei's product would rather sell them for profit to US and European spy organizations. That means they don't end up on CVE. Bonus part of hypothesis is that few people care to find bugs in Huwei OS that do publish to CVE.

re OpenBSD bug count

Complexity. Another possibility here is that OpenBSD is more complex than Huwei's OS. The OS might do very little with most work in middleware or user-mode processes. Admittedly speculation as I don't use Huwei products. With more features, esp standard support, a full blown UNIX such as OpenBSD would have higher bugs waiting to be discovered.

Bug hunting activity. The easiest explanation for this is "more bug hunters with more skill for more time." OpenBSD isn't just open source: it's been open source for a long time. It also boast of its security and is used in security-critical deployments for that reason. Offering little aid to user, administrator, or developer means it also attracts people who know what they're doing. Finally, OpenBSD coders regularly do official bug hunts where they scour the code looking for as many problems as possible. Put all of this together, then a number that's under 200 is a measure of success rather than failure.

Assurance. That said, I've always said that OpenBSD will be "low defect" at best rather than secure. The reason is that they don't use a high assurance (EAL6-7) development process. Comparing the majority of projects with high assurance projects, the past told us that the extra rigor caught many problems that no test or review spotted. Plus, these processes do both whole lifecycle security and covert channel analysis. That OpenBSD, Huwei, etc. aren't built this way implies that they're insecure and always will be imho. At best, they can increase attacker work and/or reduce the number of vulnerabilities below some level in their class of software.

(Of course, the lessons of years of high assurance work taught me that it's better to cheat around the requirements. Hence, my focus on simple modifications to CPUs/memory like tags to make code injection impossible by design. Won't auto-secure a system but low assurance software transforms from "code wrong once attackers have rooted your box" to "coding errors might lead to DOS or data corruption." An huge improvement nearly for free to software coder.)

Clive RobinsonJanuary 9, 2014 12:23 PM

@ Mike Amling,

Err it's a changed thought mid word type (enumerate to enumerable)

Or to put it another way it's a device that only receives data in a passive manner and cannot (because TX wires cut etc) put signals or data into the DMZ by which an attacker could determin it was there and specificaly sufficient details about it to attack it.

Although an attacker cannot see the instrumentation system, they can still attack it. In a similar way crackers used to do with *nix logs, assume it goes to a printer and print out a thousand blank pages to empty the printer of paper before you launch the "attack proper".

Clive RobinsonJanuary 9, 2014 12:39 PM

@ Nick P,

Alas we both responded to Mike at the same time (well with in a couple of minutes).

@ Bruce Clement, Nick P,

The explanation might actually be good code...

As you are aware the US closed it's Telco Market to them supposadly on a spyware issue... Well they are looking at the UK and have fully opened their software and hardware development process source code engineering files etc to GCHQ as part of the effort of being --or appearing-- to being open with nothing to hide.

Thus they might well have put in the extra mile or twenty to make the code rock solid to reduce the chance of accusations there are "deliberate weaknesses".

Nick PJanuary 9, 2014 12:55 PM

@ Clive Robinson

It's possible. Call it a gut feeling as the number of vulnerabilities he mentioned for Huwei is similar to numbers of many products that benefited from obscurity. Those few that got popular later saw quite the increase in vulnerabilities.

The easy test of the hypothesis is "How many people in the security industry looking for Huwei 0-days do you know of?" I know none personally and have only seen results from a tiny number. Contrast that to Windows and NIX hackers where I'm walking distance from some.

Tony H.January 9, 2014 1:20 PM

So why is Checkpoint not in the NSA catalog? If there's any company that must surely have state-sponsored spyware in their boxes, it's them. Checkpoint claims to be in all the Fortune 500/Global 100 companies, and I have not the slightest doubt that any traffic through those boxes is available to the Israeli spies any time they want it. Why wouldn't NSA have exploits ready? Maybe they just have a cosy agreement with Mossad to have the traffic routed over when they need it.

I guess back in 2008 the hardware was still Nokia, but even then the firewall software was Checkpoint. Hmmm... no Nokia phone exploits either, even though they were number 1 worldwide in 2008, and are still big in the third world.

FailpointJanuary 9, 2014 1:38 PM

Hold on just a minute. I know we are all "down the NSA" and running away from the RSA conference like an evil girlfriend, but let me try to re-vector the approach on Huawei...

They started their company by reverse-engineering Cisco routers tit-for-tat. Now they are in Plano, TX because someone let them in through the front door. How am I supposed to sympathize with Huawei clients? How do I convince people to go take a World Economics class and learn how caustic reverse-engineering, and foreign finished goods are on domestic competition models? The joke is that Cisco engineers are probably helping the NSA find holes in Huawei hardware. No love lost.

Some ad company is sending me a lifetime subscription to Forbes magazine. This month, I saw a Huawei ad showcasing the supercollider. So what, is China reverse-engineering the supercollider now? Is there something that China doesn't reverse-engineer?

This is what America gets for going cheap.

NateJanuary 9, 2014 3:53 PM

Re the codenames, I agree that they're not at all random. Many (though not all) of the software implants are based on initial letters of the system facility they're targeted at, which may reveal clues to how the development programmes are organised. The hardware ones seem to have different naming conventions and often only use one codeword rather than two.

DEITYBOUNCE = DB = Dell BIOS
HALLUXWATER/HEADWATER = HW = HuaWei
IRONCHEF = IC = HP I2C
IRATEMONK = IM = Master Boot Record
SCHOOLMONTANA/SIERRAMONTANA/STUCCOMONTANA = SM = Juniper SMM (System Managment Mode)
WISTFULTOLL = WT = Windows WMI/Registry


Ones that don't quite fit the convention:

DROPOUTJEEP = DJ = ??? (Apple iPhone)
GOPHERSET = GS = GSM SIM toolkit (but MONKEYCALENDAR also a GSM SIM implant doesn't fit the convention)
TOTECHASER/TOTEGHOSTLY = T? = Windows CE / Windows Mobile

fishing line tied around a big toeJanuary 9, 2014 4:41 PM

Nate there's probably a running competition to come up with the cleverest puzzle-like yet hiding-in-plain-sight approved "random" name for each project :)

Bonus points for anything that visibly confuses or distresses NSA-PHB's >:)

Sometimes there will be outliers that don't conform as well because nobody could come up with anything better or some existing (insider) joke or cultural context will completely steal the show (Tote? Of course it would "have" to be related to Windows "play-dough computers" but it also gives seemingly appropriate associations to the German word for death).

FailpointJanuary 10, 2014 3:00 PM

@Bill

I agree, but the article doesn't imply the reason why Cisco gets reversed engineered is because people from the SMB sectors laughed at the idea that you should have to get certified on how to read a manual on how to run a managed router. It points to the Blue Chip IT problem, whereby customers get stuck into a proprietary system that is now engrained in their network infrastructure, and becomes very costly in annual service contracts and multi-tier level support ripoffs. Let us not talk about Novell or IBM Domino here... examples abound.

I believe in the frugality of small business sysadmin, that which demands cutting through the bull in order to accomplish a task. These two companies got NSA implants in similar ways. You can see how the large IT companies throw up denials in public announcements and then turn around and fix things in the background.

This Ed Snowden fallout is better than watching TV. We have all known this stuff forever and a day. Grab a bag of cheesy poofs and watch the show. I am excited to find out how this year's RSA conference is going to turn out... empty, except crawling with feds and script kiddies like a Vegas Defcon.

Dam NanJanuary 28, 2014 7:16 AM

Could halluxwater simply have been reverse engineered from a Chinese agency original hack? The description makes it almost sound like an OEM feature.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..