HEADWATER: NSA Exploit of the Day

Today’s implant from the NSA’s Tailored Access Operations (TAO) group implant catalog:

HEADWATER

(TS//SI//REL) HEADWATER is a Persistent Backdoor (PDB) software implant for selected Huawei routers. The implant will enable covert functions to be remotely executed within the router via an Internet connection.

(TS//SI//REL) HEADWATER PBD implant will be transferred remotely over the Internet to the selected target router by Remote Operations Center (ROC) personnel. After the transfer process is complete, the PBD will be installed in the router’s boot ROM via an upgrade command. The PBD will then be activated after a system reboot. Once activated, the ROC operators will be able to use DNT’s HAMMERMILL Insertion Tool (HIT) to control the PBD as it captures and examines all IP packets passing through the host router.

(TS//SI//REL) HEADWATER is the cover term for the PBD for Huawei Technologies routers. PBD has been adopted for use in the joint NSA/CIA effort to exploit Huawei network equipment. (The cover name for this joint project is TURBOPANDA.)

STATUS: (U//FOUO) On the shelf ready for deployment.

Page, with graphics, is here. General information about TAO and the catalog is here.

This one is interesting. It basically turns the router into an eavesdropping platform.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Tags: , , , , , , , ,

Posted on January 14, 2014 at 2:10 PM40 Comments

Comments

renke January 14, 2014 2:30 PM

This one is very interesting – I believe it’s the first router exploit stating explicitly that the tool can be installed remotely (or did I miss other examples?)

Bruce Schneier January 14, 2014 2:34 PM

“This one is very interesting – I believe it’s the first router exploit stating explicitly that the tool can be installed remotely (or did I miss other examples?)”

I think all of the software implants can be installed remotely.

David January 14, 2014 3:01 PM

[…]the ROC operators will be able to use DNT’s HAMMERMILL Insertion Tool (HIT) to control the PBD as it captures and examines all IP packets passing through the host router.

The description doesn’t explicitly say, but I imagine that the internal functioning is an extra set of rules, much like the router would normally use, but geared more towards an intrusion detection system like SNORT.

Pure guesswork, then, but if that is true, then the operation could be something like:

  • Install HEADWATER
  • Router boots and HEADWATER fires up, presumably opening or allowing a connection to/from the ROC
  • ROC operator either uploads new SNORT-like rules to check traffic or looks at the progress so far

ID-databases can grow pretty quickly, so offline persistence is a question–does HEADWATER run the exploit autonomously and report, or only when told to with a live stream? If it’s ever found in the wild by a disinterested (not gov’t- or corporate-employed) researcher, I bet there will be some real revelations…

I would also guess that there is a potential for a noticeable performance hit–try looking for everything, and the router starts bogging down. Next thing you know, the local maintenance department is digging into the system or looking at replacing it because it’s bogging down the system.

I would guess that the performance impact is one of the things the ROC would watch–balancing stealthiness against the eavesdropping requests.

Marcos El Malo January 14, 2014 3:53 PM

@David

“Next thing you know, the local maintenance department is digging into the system or looking at replacing it because it’s bogging down the system.”

If these are cheapo consumer grade routers, they’re either getting tossed or reflashed by the cable company that issues them to their customers. I don’t expect anyone is looking into what is causing the problems, since so many fail from “natural causes”.

DB January 14, 2014 4:24 PM

The solution to such pwned routers is open source. Every piece of hardware, every piece of software, every operating system, every BIOS, every firmware, every chip, every motherboard.

Not because open source enables every individual to verify, indeed not everyone has the expertise to understand. But because the principle of openness makes it harder to hide things. What grows in the darkness of secrecy withers in the light of openness.

Closed source, more secrecy, making things unchangeable, and pointless talking heads assuring everyone everything’s ok are not the answers. More freedom and openness is the answer.

To be clear, open source is not a panacea. Being open does not guarantee something is trustworthy. It only guarantees it CAN BECOME trustworthy, over time, with enough peer review. Whereas closed source is impossible to become trustworthy, by virtue of its resistance to review. Trust is earned. No verify, no trust, ever. Verify, someday maybe trust.

Douglas Knight January 14, 2014 4:57 PM

Why is the status of some of these exploits (ie, ready for use, in the field, etc) classified Confidential, while others are Unclassified?

Russ January 14, 2014 5:05 PM

As I said on another thread the real solution to this type of exploit is to have a physical toggle switch that interrrupts the flash chip’s write-enable pins or logic to that effect, controlled by that switch.

The age of consumer devices being designed to do firmware updates without physical presence and approval of the owner needs to come to an end.

Companies will complain about ‘field units’ and sending staff in a truck to some remote installation, but hey, if you want real security, too bad, suck it up and send someone to throw the switch for the upgrade.

DB January 14, 2014 5:18 PM

@ Russ you still have to be able to trust the upgrade… how can you, when it’s closed source?

Having the option to use a physical write protection switch is always a good thing, but beware that some such switches already existing on some media devices are in fact software switches that don’t offer any real protection…

David January 14, 2014 5:24 PM

I’m starting to get real curious about the infrastructure needed to sneak out the data, when one of these routers is compromised.

For example, if a compromised router comes across data that needs to be sent back to the ROC, how does it get there stealthily? A set of regular packets marked “Destined for [NSA-registered] IP” is kind of a big flag that something nefarious is going on–so how?

Setting up a roving band of “innocent” servers to collect the data is one possibility, but then you have to keep the clients updated, or tell them where to deliver the goods.

Maybe there is an NSA version of TOR installed along with the PDB–some obfuscated destination that, once it gets into the right hands, gets routed appropriately.

But that, by itself, wouldn’t cover the fact that the traffic output from a compromised router would be much higher than it should be. I’m not sure what kind of traffic analysis would need to be done, but if the router is making copies of interesting data and redirecting it to the ROC, then the packet count going into the server should be significantly different from that coming out.

Hmmm…

Mike Amling January 14, 2014 5:41 PM

“I’m starting to get real curious about the infrastructure needed to sneak out the data, when one of these routers is compromised.”

And what’s it encrypted with? Hardcoded symmetric key? Public key known to the recipient?
Steganography? Disguised as DNS? Oblivious transfer?

Chris Abbott January 14, 2014 7:08 PM

@Stang
This kind of security totally depends on keeping something secret, and as Snowden and others have proved, is very, very difficult these days. A safe in your house made of tinfoil is secure if nobody can find it, sure, but the best solution is a safe nobody can open if it’s found. Anybody that gets in your house when you’re out of town will have ample time to find your tinfoil safe.

DB January 14, 2014 7:53 PM

@stang: security by obscurity is not security, that’s just head in sand.

Here’s a great quote:

“If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that’s not security. That’s obscurity. On the other hand, if I take a letter, and lock it in a safe, and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world’s best safecrackers can study the locking mechanism–and you still can’t open the safe and read the letter–that’s security.”
–Bruce Schneier, Applied Cryptography, 2nd Edition, p. xix

Tony H. January 14, 2014 8:12 PM

I’m starting to get real curious about the infrastructure needed to sneak out the data, when one of these routers is compromised.
Clearly they can’t echo everything because it’ll be noticed by volume alone. But they don’t have to echo the whole stream, because they mostly have it already if they have the backbone compromised. What they need is the keys for encrypted traffic going onto the Internet (e.g. VPN between office branches), and the internal traffic that doesn’t go out. Leaking keys should be really easy because the volume is so small. Piggyback it on DNS queries, respond to a few of the usual torrent of breakin attempts that any Internet-exposed box gets. What about a few “call home” or “check for updates” packets to the router maker’s site? Routine NTP time checks? And I’d guess a good implant would do some observing; if there’s a lot of Facebook traffic, just add a few packets from time to time. If there’s a lot of porn site visiting, add a few more. Google, Gmail, Yahoo, etc. etc. if they can observe it all in transit somewhere.

Exfiltrating larger quantities of internal-only traffic would seem harder, but in the common office-to-office VPN scenario, if they can observe the traffic at some point they can sneak in a few extra packets or fields. As long as the other end has also been compromised so it doesn’t object… When I look at what goes in and what comes out of the (enterprise-grade) VPN box here, I see all kinds of mostly TCP stuff on the inside, HTTP, FTP, Windows SMB, etc, and nothing but RFC 4303 ESP packets on the outside. Packet sniffing on both sides at once tells me nothing; it would take much better tools to see anything amiss.

John Doe January 14, 2014 9:04 PM

My old routers seemed to have a lot of logging features and the ability to write a lot of rules and create filters. Most of my recent routers have less and less ability to monitor or modify. Practically tweak proof.

I see why now. They don’t want users to have control.

I don’t think the NSA needs to use their tricks on American hardware, the backdoors and loggers are already built into the chip.

David January 14, 2014 9:17 PM

@Tony H.

You might be right–most of the scenarios that play out in arguments and jokes are “they copy everything”, but maybe it’s just encryption seed/keys and connectivity info…all of which would be exceedingly small and easy to drop into a gig+ pipe without anyone noticing.

As for delivery home, I’m not sure how it would play out. If I were a super-secret paranoid spy agency, guaranteed delivery would be a lot more important than depending on another hacked site to gather up your messages-in-a-bottle.

I guess the easiest way would be to include an alternate routing with your exploits–as you break through firewall/router security, the next hop just backtracks through the previous infiltration until it’s out in the wild intarwebs, where any number of methods can be used to send it home. Incoming commands can act as a gateway protocol–keeping routes up to date–and the “shadow” routing table would fit right into the existing functionality of the appliance.

If you’re trying to keep a random admin from stumbling upon your secret DarkNet routing tables, I guess you could reserve some memory–especially since a lot of these are firmware updates. Getting toward the outer limits of my expertise, but could oddball memory usage be a worthwhile indicator of a compromise?

Nick P January 14, 2014 10:49 PM

@ DB

“but beware that some such switches already existing on some media devices are in fact software switches that don’t offer any real protection…”

Forgot to add: excellent point. Those must be avoided.

Jay January 14, 2014 11:17 PM

@Russ:

Physical write switches are no defence against an opponent with evil maids, burglars, or access to the equipment before it ships.

[Also worth noting: in this hack, they already have control over the router before they make it reflash itself. Depending on the CPU architecture, they might have been able to make their backdoor live entirely in RAM instead.]

…I’d almost prefer firmware that automatically reflashes itself weekly, from updates the manufacturers’ HTTPS site. Sure, it’s an easy path in for anyone who can compel the CA or the manufacturer to deliver you dodgy firmware – but at least that’s a legal path. How does handing permanent access to the first random hacker (NSA or not) with an exploit for your old firmware help any?

you've.got.mail January 14, 2014 11:24 PM

@DB Security is simply another name for safety.

As an end, it can be achieved by taking control of the situation in one way or another.

Physical control may prevent an attack by interposing an obstacle to big to be physically moved.

Epistemological control may prevent an attack by denying an attacker the knowledge that they need to interfere.

And sometimes obscurity plus a provision for loss recovery provides satisfactory security:

https://en.wikipedia.org/wiki/Hope_Diamond

“Smithsonian mineralogist George Switzer is credited with persuading Harry Winston to donate the Hope Diamond to the Smithsonian National Museum of Natural History for a proposed national gem collection to be housed at the museum.[47] On November 10, 1958,[12] Winston donated the diamond to the Smithsonian Institution, where it became Specimen #217868,[48] sending it through U.S. Mail in a box wrapped in brown paper,[2] insured via registered mail at a cost of $145.29, of which only $2.44 was for postage with the remainder covering insurance for the gem’s $1 million value at that time.”

Peter January 15, 2014 12:04 AM

So this is why US companies shouldn’t use Huawei routers? I read “the ROC operator” and wondered what Taiwan has got to do with it…

Russ January 15, 2014 1:04 AM

@Jay, @DB

I was speaking specifically against persistent code threats written to flash, applied remotely. I understand that a black-bag job can do a firmware update even if one must flip a switch to enable the update; and that in-RAM (non-persistant) malware doesn’t need to update the firmware.

I’m just saying, hardware write-protect to persistent storage is one of many defenses that nowadays just seems to be out of fashion. I’m old enough to remember floppy discs that had a hole cut in the side or a slot that could be closed to control writing. It’s always bothered me that USB keys similarly should all have a hardware switch to prevent writing (and the SD card standard didn’t mandate that the write-protect switch was implemented either!). That might prevent many “air gap” jumping malware if modern storage didn’t always allow writing.

rogerh January 15, 2014 1:57 AM

All these exploits are sort of interesting – but what is the point of it all? Seems to me that when it come to terrorists and serious spies the NSA and GCHQ are now a busted flush. Both the US and UK governments could save big bucks by cutting back both operations. Then again what useful information could looking into folk’s computers and comms discover – what Uzbek tank commanders eat for breakfast, the colour of Mrs Merkel’s underwear, the sex antics of oil sheiks, the latest method India uses to manufacture some drug or other. Interesting but nearly useless. Of more use – who buys typewriter ribbons on Ebay.

Much more sinister is passing across the doings of local political opponents – very wrong, let politicians flog each other in public – to use spying is to subvert democracy. As for understanding the intentions of governments – that is what embassy parties are for – local knowledge – getting into bed (literally) with your target. Similarly with industrial secrets – there are really very few secrets – what matters is the state of education and sophistication within a nation. A close study of trade press and academic journals and the blogs reveals a lot – what one can do, so can another.

Then there is the cost. From a cold financial point of view the damage terrorists do does not amount to much and there is no evidence spying has any real chance of stopping terrorists – the ones that have been publicly unmasked were pretty poor specimens. But any terror event is embarrassing to the politicians, it makes them look powerless and to avoid that seems worth any cost (to the taxpayer). Maybe what really scares the politicians is just you and me.

65535 January 15, 2014 3:07 AM

@renke

“…this is the only one with remote installation mentioned.”

I noticed that too. I also notice “On the shelf read for deployment” and on Huawei routers.

@David

D-databases can grow pretty quickly, so offline persistence is a question–does HEADWATER run the exploit autonomously and report, or only when told to with a live stream? If it’s ever found in the wild by a disinterested (not gov’t- or corporate-employed) researcher, I bet there will be some real revelations… I would also guess that there is a potential for a noticeable performance hit…”

Maybe and then maybe not – think about a BIOS hack and the CALEA law requirements.

[and]

“…if a compromised router comes across data that needs to be sent back to the ROC, how does it get there stealthily? A set of regular packets marked “Destined for [NSA-registered] IP” is kind of a big flag that something nefarious is going on–so how? …but if the router is making copies of interesting data and redirecting it to the ROC, then the packet count going into the server should be significantly different from that coming out.”

Unless it was “legal” exfiltrating of the traffic.

@Tony H

“Exfiltrating larger quantities of internal-only traffic would seem harder, but in the common office-to-office VPN scenario, if they can observe the traffic at some point they can sneak in a few extra packets or fields. As long as the other end has also been compromised so it doesn’t object… When I look at what goes in and what comes out of the (enterprise-grade) VPN box here, I see all kinds of mostly TCP stuff on the inside, HTTP, FTP, Windows SMB, etc, and nothing but RFC 4303 ESP packets on the outside. Packet sniffing on both sides at once tells me nothing; it would take much better tools to see anything amiss.”

Again, the CALEA law requirements forces all manufactures to provide a backdoor. There may be no need to sneak a few packets to the government – the whole stream may be legal.

This is just speculation – but what if the US government put the arm on Huawei to provide a “super back-door” to be able to sell routers in the US under the ruse of CALEA. The NSA could then put a set of implants into the CALEA port mirror or deep packet inspection probe to send all information to Fort Mead for further analysis (It may be against the “spirit of the law” but possibly “not be against the law” if the data was routed through the FBI’s router then to the NSA).

Here is some broad technical data on CALEA:

‘Technical Implementation’

“USA telecommunications providers must install new hardware or software, as well as modify old equipment, so that it doesn’t interfere with the ability of a law enforcement agency (LEA) to perform real-time surveillance of any telephone or Internet traffic. Modern voice switches now have this capability built in, yet Internet equipment almost always requires some kind of intelligent Deep Packet Inspection probe to get the job done. In both cases, the intercept-function must single out a subscriber named in a warrant for intercept and then immediately send some (headers-only) or all (full content) of the intercepted data to an LEA. The LEA will then process this data with analysis software that is specialized towards criminal investigations.

“All traditional voice switches on the U.S. market today have the CALEA intercept feature built in. The IP-based “soft switches” typically do not contain a built-in CALEA intercept feature; and other IP-transport elements (routers, switches, access multiplexers) almost always delegate the CALEA function to elements dedicated to inspecting and intercepting traffic. In such cases, hardware taps or switch/router mirror-ports are employed to deliver copies of all of a network’s data to dedicated IP probes.

“Probes can either send directly to the LEA according to the industry standard delivery formats (c.f. ATIS T1.IAS, T1.678v2, et al.); or they can deliver to an intermediate element called a mediation device, where the mediation device does the formatting and communication of the data to the LEA. A probe that can send the correctly formatted data to the LEA is called a “self-contained” probe.

“In order to be compliant, IP-based service providers (Broadband, Cable, VoIP) must choose either a self-contained probe (such as made by IPFabrics), or a “dumb” probe component plus a mediation device (such as made by Verint), or they must implement the delivery of correctly formatted for a named subscriber’s data on their own.”

http://en.m.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

Could CALEA be the ultimate backdoor for the NSA?

Rahul January 15, 2014 4:04 AM

What makes me curious is it has been more than a week now since this exploit has been reported but how come no reports of detection from the wild? None of the guys owning the target routers are aware nor concerned?

Ola January 15, 2014 4:21 AM

@65535
“USA telecommunications providers must install …”

Not router manufacturer.

Didn’t FX Lindner had an presentation about Huawei? From what I remember the software on them was so bad than even your grandmother could write an exploit for them.

It seems to me that this implant catalog is just two years ahead of “open source”. Should we cont. doing router exploitation in open? As it is most certainly used against you.

ted January 15, 2014 8:49 AM

“The PBD will then be activated after a system reboot.”

How often do people reboot their network devices? I work in a data center. Our network gear goes years between reboots.

Bytes January 15, 2014 9:54 AM

@ ted suspect that the firmware can force a reboot after it is loaded, unless you have and maintain a robust protective monitoring regimin for your systems , such issues would most likely be put down to a “network glitch” the apathy & if it aint broke don’t fix it also contributes

whats always been the elephant in the room is you have your system & application hardening, secure code development , Security operation procedures etc etc, but the supply chain for hardware infrastructure manufactures ? tin generally gets wheeled in the door, oh its new and from XXXX hardware manufacturer no longer ( well has never really ) offered any assurance, classic Trojan horse , your tin is the horse.

CC and EAL is also pretty laughable, you only have t look at the TOR to realise the assurance is only valid when left in the box i a dark room with the moon aligned to Pluto.

I guess i’m just a paranoid old security consultant but these revelations dont surprise me, though they are interesting to look at in the clear light of day.

Alan Wexelblat January 15, 2014 12:16 PM

I think I have the outline of a system that would not prevent compromises but that would enable the router owner to know if it had been compromised. This assumes the router operator is an honest broker and not just a shill for the NSA or its Chinese counterpart.

Imagine that the router has the ability to compute a one-time pad member number. The generated “checksum” would be computed over the firmware and include sufficient information to uniquely identify each piece of hardware (mac address, gps coordinates, pick your preferred).

On boot and at some agreeable heartbeat interval the device “phones home” with its checksum. If there’s any error the device can’t start up. If there’s an error after that you can do any number of things such as take the router offline, raise an alarm, etc.

I think this gives three possible places to attack: the router, home, and man-in-the-middle. Assuming that the crypto is sufficiently good you ought not to be able to predict what the sum should have been so you can’t either force the router to emit it or have a MITM emit it. That leaves a compromise of the central device, which is always possible but I would hope easier to detect. There are fewer of them and they can be in more monitored and checked locations than a distributed network of routers.

You could say that I haven’t solved the problem – just moved it upstream. I think I read that a variant of “compromise the phone-home controller” was used as part of the Natanz operation, but the question posed was “how might we detect that a router has been turned into an eavesdropping platform” and that’s what I’m trying to address.

Insider January 15, 2014 12:49 PM

As you mentioned, Bruce, this HEADWATER report is from 2008. There has been an enormous amount of innovation in the router/load balancer space since then… so I wonder if these backdoors still exist?

More importantly, as someone inside this industry and with an intimate knowledge of the hardware and software involved, it is a well-known secret that Huawei simply steals or copies other companies software and designs. (One of the benefits of doing your design/mfg in China, I guess.)

So the bigger question here is whether this backdoor existed in some IP they stole from elsewhere, or if it is in the part of the code that they wrote themselves?

In other words, if this works on a Huawei device, it is entirely possible there are other devices in the industry with the same weakness. (This wouldn’t be the first time that Huawei’s “product development” techniques were exposed by copying other mfgs unique bugs…)

Tony H. January 15, 2014 2:24 PM

Could CALEA be the ultimate backdoor for the NSA?
Thing is, CALEA applies to telcos and ISPs and such, and the NSA is already in a position to tell them what to do via NSLs and the like. CALEA doesn’t provide for telling a company to spy on its own employees. I’d think the targets of the items in this catalog are routers/firewalls in corporate settings, and ISPs outside the USA where CALEA doesn’t help in any case.

Benni January 15, 2014 3:28 PM

I know a neighbour who has a router called speedport ip 724V A from Deutsche Telekom. In the manual, it is said that this is actually a huawei router. This is also what wikipedia says: http://de.wikipedia.org/wiki/Speedport

Looking at the configuration interface, it becomes clear that this router has a builtin firewall, that can not be switched off. But strangely one also can not configure (i.e open or close) the following ports:

21,1900,5060,5061,7547,37215,37443,50000-50019,54058-56003,56005

The config site of the router says that all these ports can not be configured by the user, as they would be used by the internet service provider for maintenance work.

Indeed, if one does a firmware reset, the router gets automagically the newest firmware after the restart.

It is perhaps this way that the NSA can get into huawei routers.

They make the router believe, they are the internet service provider and install a “firmware update” through these service ports that the user can not configure.

The only way to work around to this would be, as far as i know, to throw the huawei router aka speedport.ip 724 into the waste bin.

Other routers might have other backdoors, as one sees from this backdoor, where an undocumented service lists on port 32764 that spills out your wlan passwort into the internet:

https://github.com/elvanderb/TCP-32764

the search machine shodan now lists 13219 routers on the worldwide net that have this backdoor open:

http://www.shodanhq.com/search?q=port%3A32764

It is somewhat scarry, that three manufracturers produce routers with exactly the same backdoor. This is the recent list of devices with that behavior:

Cisco WAP4410N-E 2.0.1.0, 2.0.3.3, 2.0.4.2, 2.0.6.1 (issue 44)
Linksys WAG120N (@p_w999)
Netgear DG834B V5.01.14 (@domainzero)
Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (issue 44)
Netgear WPNT834 (issue 79)
OpenWAG200 maybe a little bit TOO open 😉 (issue 49)
Backdoor confirmed in:

Cisco RVS4000 fwv 2.0.3.2 (issue 57)
Cisco WAP4410N (issue 11)
Cisco WRVS4400N
Cisco WRVS4400N (issue 36)
Diamond DSL642WLG / SerComm IP806Gx v2 TI (https://news.ycombinator.com/item?id=6998682)
LevelOne WBR3460B (http://www.securityfocus.com/archive/101/507219/30/0/threaded)
Linksys RVS4000 Firmware V1.3.3.5 (issue 55)
Linksys WAG120N (issue 58)
Linksys WAG160n v1 and v2 (@xxchinasaurxx @saltspork)
Linksys WAG200G
Linksys WAG320N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
Linksys WAG54G2 (@_xistence)
Linksys WAG54GS (@henkka7)
Linksys WRT350N v2 fw 2.00.19 (issue 39)
Linksys WRT300N fw 2.00.17 (issue 34)
Netgear DG834[∅, GB, N, PN, GT] version < 5 (issue 19 & issue 25 & issue 62 & jd & Burn2 Dev)
Netgear DGN1000 (don’t know if there is a difference with the others N150 ones… issue 27)
Netgear DGN1000[B] N150 (issue 3)
Netgear DGN2000B (issue 26)
Netgear DGN3500 (issue 13)
Netgear DGND3300 (issue 56)
Netgear DGND3300Bv2 fwv 2.1.00.53_1.00.53GR (issue 59)
Netgear DM111Pv2 (@eguaj)
Netgear JNR3210 (issue 37)

A-Team January 15, 2014 5:17 PM

Cisco fixed this particular vulnerability — Eloi Vanderbeken’s — late on the 10th of January with an update on the 14th suggesting it was an “undocumented test interface” without really saying whose, how it got into their products, how was possible for Cisco not to have been aware of it earlier, nor why they hadn’t done something about it if it was such a serious vulnerability but one easy to patch.

I could not really jibe Cisco’s sketchy explanation with what EV reported in such fantastic detail, attributing it to the common denominator in all these devices, SerComm.

Maybe someone here who is a ‘registered customer’ can access the details:

“A vulnerability in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router could allow an unauthenticated, remote attacker to gain root-level access to an affected device. This vulnerability can be triggered from the LAN interfaces of the Cisco WRVS4400N Wireless-N Gigabit Security Router and the Cisco RVS4000 4-port Gigabit Security Router from the wireless LAN (WLAN) and the LAN interfaces of the Cisco WAP4410N Wireless-N Access Point.

This vulnerability is due to an undocumented test interface in the TCP service listening on port 32764 of the affected device. An attacker could exploit this vulnerability by accessing the affected device from the LAN-side interface and issuing arbitrary commands in the underlying operating system. An exploit could allow the attacker to access user credentials for the administrator account of the device, and read the device configuration. The exploit can also allow the attacker to issue arbitrary commands on the device with escalated privileges.

This vulnerability is documented in Cisco bug ID CSCum37566 (registered customers only) for the Cisco WAP4410N Wireless-N Access Point; Cisco bug IDs CSCum43693 (registered customers only) and CSCum43700 (registered customers only) for the WRVS4400N Wireless-N Gigabit Security Router; and Cisco bug ID CSCum43685 (registered customers only) for the Cisco RVS4000 4-port Gigabit Security Router. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2014-0659.”

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd

65535 January 16, 2014 2:29 AM

@Ola
It depends on the definition of a “USA telecommunications provider” regarding CALEA and the NSA/FISA. Are we talking Tier 1 or Tier 2 or Tier 3 providers – or all of them?

I agree that Huawei probably has easily hacked (or stolen) software. But, it is also possible the NSA weakened their software.

@Tony H
“…CALEA applies to telcos and ISPs and such, and the NSA is already in a position to tell them what to do via NSLs… I’d think the targets of the items in this catalog are routers/firewalls in corporate settings, and ISPs outside the USA where CALEA doesn’t help in any case.”
Maybe, but a Corporation has to transit the Telcos to get software patches and reach branch offices. Level 3 is an example of that type of link (Level 3 is composed of Global Crossing with multinational links). Level 3 was tapped why not others? It would be a great way to push-out the NSA firmware and software exploits.

@Benni
Your post was in-depth and unpleasantly surprising. From your tone you seem to be indicating that the back-doors are from the Factory (it would seem unlike – but possible – that all those routers were interdicted and exploited during shipping). I find it hard not to think the NSA did not twist some arms and get those routers and firewalls exploited (or ready for exploitation).

@A-Team
‘…it was an “undocumented test interface” without really saying whose, how it got into their products, how was possible for Cisco not to have been aware of it earlier… could not really jibe Cisco’s sketchy explanation…’

Could it be NSA arm twisting to weaken routers and firewalls – all in the name of “National Security?” The same goes for the FBI now that they have adopted the “Nation Security” tag-line. I think Cisco has some explaining to do – and not just “non-denials” but real explaining.

Benni January 16, 2014 6:50 AM

@65535

“From your tone you seem to be indicating that the back-doors are from the Factory”

Yes they the security issue reported by Vanderbeken is built in from factory. The firmware of these routers has this “undocumented test interface” when they are shipped.

@A-team:
Did cisco really fix this now? since according to the german magazine c’t, cisco wants to deliver a fix until the end of january:
http://www.heise.de/security/meldung/Router-Backdoor-Cisco-Netgear-und-Linksys-versprechen-Schutz-2084884.html

C’t also wonders, why these companys say they will fix that problem now, given that Vanderbeken was not the first to report it. For example, Netgear was asked in its supportforum here: http://www.netgear-forum.com/forum/index.php?showtopic=6192 by a frensh customer in the year 2003 about exactly this backdoor.

C’t wonders here: http://www.heise.de/security/meldung/Backdoor-in-Routern-Hersteller-raetseln-und-analysieren-2077308.html why these manufacturers with the notable exception of cisco are merely just saying that they are investigating this. Without proposing a fix, or telling how these backdoors came into the routers.

By the way, according to washington post, currently, nsa has infected 10.000 computers with their malware:

http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?hp&_r=1

Benni January 16, 2014 6:52 AM

@65535

“From your tone you seem to be indicating that the back-doors are from the Factory”

Yes they the security issue reported by Vanderbeken is built in from factory. The firmware of these routers has this “undocumented test interface” when they are shipped.

@A-team:
Did cisco really fix this now? since according to the german magazine c’t, cisco wants to deliver a fix until the end of january:
http://www.heise.de/security/meldung/Router-Backdoor-Cisco-Netgear-und-Linksys-versprechen-Schutz-2084884.html

C’t also wonders, why these companys say they will fix that problem now, given that Vanderbeken was not the first to report it. For example, Netgear was asked in its supportforum here: http://www.netgear-forum.com/forum/index.php?showtopic=6192 by a frensh customer in the year 2003 about exactly this backdoor.

C’t wonders here: http://www.heise.de/security/meldung/Backdoor-in-Routern-Hersteller-raetseln-und-analysieren-2077308.html why these manufacturers with the notable exception of cisco are merely just saying that they are investigating this. Without proposing a fix, or telling how these backdoors came into the routers.

By the way, according to washington post, currently, nsa has infected 10.000 computers with their malware:

http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?hp&_r=1

A- January 16, 2014 9:26 AM

This morning, Shodan notes a few thousand routers on the internet with port 32764 open:

http://www.shodanhq.com/
Results 1 – 10 of about 1559 for port:32764 ScMM
Results 1 – 10 of about 3488 for port:32764 MMcS

You can test your own router with telnet for LAN and these links for WAN. (I myself have nothing to fear as I have nothing to hide but checked anyway: port closed!)

http://www.router-backdoor.de/?lang=en
http://www.canyouseeme.org/
http://www.yougetsignal.com/tools/open-ports/

Sercomm is the Taiwanese company that actually manufactures routers and firmware for resellers such as Cisco. It was founded in 1992. Here is a list of embedded devices — it matches the list of known affected routers according to arstechnica:

http://wikidevi.com/w/index.php?title=Special:Ask&q=%5B%5BManuf::SerComm]]+[[Global+type::~embedded*]]&po=%3FFCC+ID%0D%0A%3FFCC+approval+date%3DFCC+date%0D%0A%3FEstimated+date+of+release%3DEst.+release+date%0D%0A%3FEmbedded+system+type%0D%0A%3FCPU1+brand%0D%0A%3FCPU1+model%3DCPU1+mdl.%0D%0A&eq=yes&p[format]=broadtable&sort_num=&order_num=ASC&p[limit]=500&p[offset]=&p[link]=all&p[sort]=&p[headers]=show&p[mainlabel]=&p[intro]=&p[outro]=&p[searchlabel]=%E2%80%A6+further+results&p[default]=&p[class]=sortable+wikitable+smwtable&eq=yes

Search Engine Fanatic February 19, 2014 5:47 PM

A month later and Shodan results have doubled.

Almost 30,000 open ports and OVER 9000 exploitable.

Results 1 – 10 of about 28537 for port:32764

Results 1 – 10 of about 3265 for port:32764 ScMM

Results 1 – 10 of about 6797 for port:32764 MMcS

Epic.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.