Cisco Shipping Equipment to Fake Addresses to Foil NSA Interception

Last May, we learned that the NSA intercepts equipment being shipped around the world and installs eavesdropping implants. There were photos of NSA employees opening up a Cisco box. Cisco's CEO John Chambers personally complained to President Obama about this practice, which is not exactly a selling point for Cisco equipment abroad. Der Spiegel published the more complete document, along with a broader story, in January of this year:

In one recent case, after several months a beacon implanted through supply-chain interdiction called back to the NSA covert infrastructure. The call back provided us access to further exploit the device and survey the network. Upon initiating the survey, SIGINT analysis from TAO/Requirements & Targeting determined that the implanted device was providing even greater access than we had hoped: We knew the devices were bound for the Syrian Telecommunications Establishment (STE) to be used as part of their internet backbone, but what we did not know was that STE's GSM (cellular) network was also using this backbone. Since the STE GSM network had never before been exploited, this new access represented a real coup.

Now Cisco is taking matters into its own hands, offering to ship equipment to fake addresses in an effort to avoid NSA interception.

I don't think we have even begun to understand the long-term damage the NSA has done to the US tech industry.

Slashdot thread.

Posted on March 20, 2015 at 6:56 AM • 42 Comments

Comments

wiredogMarch 20, 2015 7:05 AM

This assumes the equipment isn't compromised at the factory.

As far as fake addresses goes, how is this different, operationally, from shipping to an Amazon locker? I wonder if anyone's used an Amazon locker as a dead drop. There used to be one in a 7-11 in McLean, not far from Langley.

GiuseppeMarch 20, 2015 7:13 AM

This is assuming that:

1) NSA isn't planting malware in the hardware factories themselves

2) NSA has not access to Cisco's customers' database (to cross-match these dead drops)

3) NSA is dumb enough not to spot a delivery of a metric ton of networking hardware to a "normal" address

4) ...

I agree with the conclusion about the damages NSA has done, but thinking that this is an effective technique it's wishful thinking.

name.withheld.for.obvious.reasonsMarch 20, 2015 7:26 AM

I cannot resist...Bruce, does this include the tin-foil friendly addresses?

MartinMarch 20, 2015 7:42 AM

Place a unique seal on each, ship overnight. Customer receives unit, logs in to mfr website and views photo of unit under seal as it left the factory.

ArchiloqueMarch 20, 2015 8:01 AM

Starting tomorrow, all Cisco hardware will be shipped to Bruce Schneier's home address, hoping the NSA will be to afraid to do anything :-)

sqlMarch 20, 2015 8:09 AM

*NSA employee chuckles and writes*

SELECT * 
FROM cisco_dest 
WHERE address NOT IN
   ( SELECT address
     FROM global_address_db )

keinerMarch 20, 2015 8:52 AM

This is EXACTLY the type of "security measures" I expected...

Nonsense, nonsense, nonsense...

Suzanne RegaladoMarch 20, 2015 9:06 AM

What is Cisco doing selling equipment to Assad that will assist him in the wholesale murder of his people.

CraigMarch 20, 2015 9:07 AM

I don't suppose Chinese intelligence needs to go to this much trouble. They no doubt have access to Huawei's factory.

Cisco CTOMarch 20, 2015 9:19 AM

We should really just deliver this equipment personally with armed guards in an armored vehicle. With the invention of digital currency you really are delivering the vault door in an unattended cardboard box.

Clive RobinsonMarch 20, 2015 9:34 AM

@ Bruce,

I don't think we have even begun to understand the long-term damage the NSA has done to the US tech industry.

Whilst that may to a certain extent be true, we definitely know that the IC and some LEA's don't care one iota about it.

And it is this mentality / mindset that is actually the real danger, especialy as it's effectivly "inbred", which means "cutting funding" to these agencies is not enough, you have to either "lop of the head" or take significant and visable corrective action such as jailing / sacking without pension etc of mainly senior staff.

Sometimes you have to get gore to the elbows to cut out a cancer, it's not pleasant for either the party being cut or the party doing the cutting, but sometimes it's the only way of saving anything worthwhile.

CelosMarch 20, 2015 9:45 AM

The damage is pretty simple: US computer and network equipment is now clearly not more secure than Chinese equipment. At the same time, Chinese equipment is far cheaper and will likely remain so. I do not think this damage can be repaired, ever.

On the other hand, totalitarian states usually fail economically (eventually), so it is only smart that the US intelligence community is hard at work ruining the US economy before full totalitarianism is installed.

AndyMarch 20, 2015 9:52 AM

Until the U.S. tech industry is willing to pull up stakes and move people out of the U.S., there isn't that much damage - these companies are still cooperating with the U.S. gov't and still selling gear to them. If Cisco really wanted to take a stand, it would not sell or support products bought/installed/or owned by the U.S. government.

There will come a time when people vote with their feet and the most highly skilled and productive members of our society will deem it in their best interests to no longer live and work in the U.S. or keep U.S. citizenship. These people will relocate to lands of greater promise.

readerMarch 20, 2015 10:14 AM

And the age old question, if you suspect it, how can you tell if it's government, or crooks?

eCurmudgeonMarch 20, 2015 10:33 AM

We should really just deliver this equipment personally with armed guards in an armored vehicle.
Otherwise known as "trusted distribution", and if I recall has been mandated for years for various trusted systems.

ArchonMarch 20, 2015 10:42 AM

Complete data security theater, but how else are they going to distance themselves from the US government in their foreign ads without actually distancing themselves from the US (and its government)?

Nick PMarch 20, 2015 10:45 AM

@ name.withheld

No, they just ship it to an address like this:

name.withheld
9800 Savage Road,
Fort George G. Meade, MD,
20755-6152

Upon seeing that address, the NSA employees simply leave the package alone.

65535March 20, 2015 10:47 AM

“I don't think we have even begun to understand the long-term damage the NSA has done to the US tech industry.”- Bruce S.

That’s the truth!

Worse, not only have our technology companies become undesirable the US shipping business is now radio active – who wants to touch them.

@ Clive

Bruce,
“I don't think we have even begun to understand the long-term damage the NSA has done to the US tech industry.” –Bruce S.

'Whilst that may to a certain extent be true, we definitely know that the IC and some LEA's don't care one iota about it.' -Clive

Yes, that is true. The LEA’s and IC community care about their 6 digit annual pay with perks.

We have a number of LEA’s in the news that make over 6 digits per year and say it is “the American Dream.”

‘CHICAGO — Mayor Richard Daley made no apologies Tuesday for making Chicago's new police superintendent the highest-paid employee on the city payroll, insisting the $300,000 a year that Jody Weis will receive is warranted for his responsibilities. Justifying Weis' salary is "very, very easy," Daley said. "Highland Park -- $126,000 for a police chief. How many people live there? Lake Forest, $119,000, Barrington, $113,000, Los Angeles, $300,000."’- The Chicago Tribune

http://www.policeone.com/patrol-issues/articles/1637197-Chicagos-mayor-says-its-very-easy-to-justify-top-cops-300-000-salary/

Returning to the NSA and their related damage, the real problem is that the IC’s tactics have become a net liability!

NSA interdicts and plants bugs in top Technology vendor’s equipment. => International customers cut-back on USA Technology purchases => Both the Technology and shipping sectors suffer economic damage => It now becomes increasing more expensive to defend American from real threats [Real Wars and/or nuclear weapons] => The entire USA population suffers.

[Please excuse the grammar and other errors]

AyKarambaMarch 20, 2015 12:45 PM

The potential for booby traps and honeypots is just unbelievable. If I were a newspaper editor, I'd start ordering a bunch of Cisco routers and making sure that they all ship with GPS trackers and minicams strategically positioned inside the box, streaming their content live via a 3G connection. Then I'd just sit and wait for the NSA to give me the front page of a lifetime.

65535March 20, 2015 1:15 PM

@ AyKaramba

“The potential for booby traps and honeypots is just unbelievable. If I were a newspaper editor, I'd start ordering a bunch of Cisco routers and making sure that they all ship with GPS trackers and minicams strategically positioned inside the box, streaming their content live via a 3G connection. Then I'd just sit and wait for the NSA to give me the front page of a lifetime.”

Good idea.

I think it will work a few times… until Fedex, UPS, and other shippers are National Security Letter’d [or NSL’d].

The USPS is owned by the Feds or NSA/CIA/FBI/Homeland Security/ and so on. My bet is the shippers under US laws will also be owned.

As soon as the shippers are NSL’d [FedEx, UPS, and so] then the packages with the GPS and streaming mini-cams will be marked as such and deactivated. Then we will be back at the "radio active shipper's" problem.

Short interestMarch 20, 2015 1:44 PM

2006:
"Cisco: The Human Network."

2012:
"Cisco: Tomorrow Starts Here!"

2015:
"Cisco: Crippling Your Critical National C3 at the Peak of Humanitarian Crisis Since 1994!"

JimMarch 20, 2015 1:46 PM

There is nothing to stop them from intercepting devices addressed to non-terroristic, non-criminal American citizens.

Maybe they need some leverage to crack security at XYZ Tech in Kokomo. Their IT guy orders a personal or business device. It is diverted, cooked to NSA taste, and reshipped. Who's the wiser?

One of the problems is there is no limit to any of this anymore. Elected officials have become circus clowns incapable of responsible governance.

Another problem is the American people don't care about this stuff because it's not right in their face and not obviously harming them.

Parasites operate in a way to keep their hosts alive and functioning to further their own survival and multiplication.

daikiriMarch 20, 2015 2:03 PM

@Jim, if they were targeting criminals and terrorists (American or otherwise) I'd get it, but they're not. They're targeting SIM manufacturers, ISPs and sysadmins. They're not protecting us from machete-wielding psychos in Yemen, they're breaking into Linkedin accounts and setting up stingrays in places like Belgium, Holland and Germany. That's what's truly f*cked up.

65535March 20, 2015 2:46 PM

@ daikiri

“…if they were targeting criminals and terrorists (American or otherwise) I'd get it, but they're not. They're targeting SIM manufacturers, ISPs and sysadmins… they're breaking into Linkedin accounts and setting up stingrays in places like Belgium, Holland and Germany. That's what's truly f*cked up.”

I agree. When they “Hunt sysadmins” this is truly FUBAR’d!

MarcusMarch 20, 2015 3:25 PM

I never believe these companies who say they are shocked at what's going on nor do I believe the public "feuds" such as the Google and Apple are having with the NSA regarding encryption. I think it's all for show; for the consumption of their customers.

Adn notice Google has backed down- almost completely on their promise to have encryption turned on by default.

I am not commenting here about the wisdom of having encryption everywhere, that's an entirely different debate I am not settled on one way or the other. I am just saying, this story about Cisco is just total bullshit.

For one, consider their position. OK so you're not Google and bound to the CIA in the form of a protracted joint venture named Intel-Q, you're still freaking Cisco the head of a huge multinational whose products are absolutely critical to national security. It's not like they're making that part up.

So when the NSA comes knocking, what do you say? "No, I could give a crap if international terrorists let a nuke off in Manhattan I'm not installing that back door!" ? Probably that is not what you say.

After 9-11 no one knew what might be next. Of course our computer companies and the phone companies rolled over; they probably thought it was the morally right thing to do; probably you would have done the exact same thing. even if it was technically illegal. That's why Congress gave them retroactive immunity. If they hadn't, what message were they sending to future companies facing future crisis?.

There's two different modes of reasoning a nation brings to bear when something like this happens. There's the panicked immediate response logic that says " man the battle stations- this is war!" Then there's the slower, more thoughtful reasoning about what structural surveillance level a free nation can tolerate. That is, what level it can tolerate before it succumbs to steady-state fascism via implicit universal intimidation. You know, disabling of careers, politically motivated prosecutions, just outright blackmail, persecution of dissenters within government and without, corruption of watchdog processes, rancid nepotism, cronyism and corruption which that kind of systemic intimidation engenders in institutions.

These companies were all approached after 9-11 , (if not before) and basically asked "are you a good America? Do you care about your country?". You can bet your bottom dollar they all stood up and saluted. I would have done the same thing. No doubt.

We've been in that "mode" for a while now. The sort of relationships between companies and the national security apparatus went there and has remained frozen. Now those same companies are looking at the effects of their actions post-Snowden and they have to do something because no one wants their services. So they're putting on a dog and pony show for their audience.

If Google and Apple were such great principled companies, they wouldn't have illegally conspired (hello, where's the RICO prosecution ?) to screw their employees out of hundreds and hundreds of millions of dollars in wages.

They did it with a smiley :) :

http://pando.com/2014/03/22/revealed-apple-and-googles-wage-fixing-cartel-involved-dozens-more-companies-over-one-million-employees/

(for anyone not following the link, that list appears to also implicate a lot more companies, but including them would have, you know, ruined the flow of the sentence. It names- Pixar and Best Buy and Dell and Oracle and IBM and eBay and Microsoft and Comcast and Clear Channel and Dreamworks, and London-based public relations behemoth WPP. and Adobe and Intel and Intuit and Lucas and. and Cingular and Foxconn and Nvidia and a handful of distributors like Mac Zone and PC Connection and PC Mall. oh and "Some of the “Do Not Call (these employees and offer them jobs) List " because, according to the memo, they share “common board members”: Intuit, JCrew, Nike, and Genentech,Adecco, CDI Business Solutions, Clear Channel, Illumita, Jcrew (!!!), Kforce, Novell, Oglivy, OpenTV, Sun Microsystems..


Point is, since corporations "are too people (my friend" it's safe to characterize Apple and Google as full blown sociopaths who act only to maximize their financial success and have no other value system whatsoever.

So no, despite public pronouncements, they're not standing up to the government on principle, or for any other reason, and what you see is a carefully worked out script between two close business partners the NSA and Google, the NSA and Apple.

It's consumer theater.

Privacy ChernobylMarch 20, 2015 3:25 PM

Nowadays, there are no major barriers to entry in Cisco's business. Now that Cisco's quality is a crap shoot and its commercial integrity is shot to hell, thanks to NSA, the firm's market share can shrivel amazingly quickly.

Looking at NSA-inflicted damage from a diffusion-model standpoint, the only real limiting factor is amortization. That means Cisco's only hope of survival is to roll back accelerated depreciation for everyone. And What do you know?! Hope you weren't planning any big investments!

NSA may be giving industry an insouciant middle finger but the subordinate branches of the US government, like EOP, are shitting bricks.

MattMarch 20, 2015 4:08 PM

I always wondered - are we even supposed to trust Cisco here?

I get that the NSA shouldn't be trusted, but can we even trust Cisco at all on this? They've already been compromised, I don't see why we should ever suspect otherwise?

Tony H.March 20, 2015 4:10 PM

As with all these things, extreme parsing is needed. Nothing I see in this document or article says that the device that went into the Syrian backbone was from Cisco. Just as likely it was a Huawei box, and the real triumph is that -- like IP packets -- a lot of global package traffic goes through the US, or US controlled locations. It seems just as likely that the Cisco "complaint" is just follow up disinformation to make the likes of Syria more comfortable with Huawei and other non-US gear vis a vis NSA.

LMAOMarch 20, 2015 4:16 PM

@Suzanne

It looks like he isn't the one decapitating people and throwing gays onto the ground. So how providing telco equipment to his country helped murder anyone?

ConcernedCitizenMarch 20, 2015 5:27 PM

But why bother with the whole Mission Impossible style intercept. I assume they've dropped a National Security Letter on Cisco. They must be in the order/shipping system to see who ordered the device and where it's headed. Just cut to the chase and set up an operation on the plant floor to modify the device at the end of the line prior to packing and shipping. Make it easy on yourself. Cisco (and the other manufacturers) have already been brought to heal; might as well make them lick your boots in public.

切腹March 20, 2015 6:36 PM

The devastation NSA has caused is not just diplomatic and economic, though that in itself is utterly beyond the military's mental capacity. This historic CF corrodes US government legitimacy. And who does DoD send on the suicide mission of lying and riding this out? Rogers. Rogers!?! A deck ape like Rogers has no inkling how to contain this catastrophe. They'll run through half a dozen Rogerses before they get NSA under control.

When the military is afflicted with a sad sack who is too stupid even for them, they'd send him to SAC. Now, if the guy can't hack playing Farmville in the bunker, they've got a further place to send him to blackhole his career: NSA!

uh, MikeMarch 20, 2015 11:13 PM

National Security Letters? We know the answer already: Demand a pledge that no NSL has been invoked. Failure to pledge is not an admission.

In the military-industrial complex, it's popular to assume the government is trustworthy, due to "same side" considerations. It's part of the reason they deserve each other. And it's wrong.

Apple is now a proud non-governmental entity, and they're profiting mightily by it. That's market forces for you, baby.

65535March 20, 2015 11:23 PM

@ ConcernedCitizen

“I assume they've dropped a National Security Letter on Cisco. They must be in the order/shipping system to see who ordered the device and where it's headed. Just cut to the chase and set up an operation on the plant floor to modify the device at the end of the line prior to packing and shipping.”

This is what I would suspect. Either modify the equipment in transit or just do it at the factory.

I was also thinking that the big shippers Fedex, UPS, and so would also be NSL’d and be required to turn over Cisco’s products to the spooks for implants.


@ Seppuku [切腹]

“The devastation NSA has caused is not just diplomatic and economic, though that in itself is utterly beyond the military's mental capacity... Rogers!?! A deck ape like Rogers has no inkling how to contain this catastrophe. They'll run through half a dozen Rogerses before they get NSA under control.”

Yes, I agree.

When the spooks get a blank check for decades in a row then tend to lose all sense of economic value – or just don’t care as long as they get their over-sized salaries.

Maybe, a 30% to 45% budget reduction across the board would get the NSA's attention.

@ Matt

“I always wondered - are we even supposed to trust Cisco here?”

There is no real reason to trust Cisco. But, their head man is making noises and rattling the cage [and I suspect so is their PR department].

BuckMarch 21, 2015 12:40 AM

@uh, Mike

National Security Letters!? We know the big tech firms are already in a downward spiral of racketeering and collusion to suppress fair wages... If they wanted to collectively break through the NSL's, who could possibly stop them? No one but themselves - it's just too damn lucrative to play along! :-\

JonKnowsNothingMarch 21, 2015 2:11 AM

@uh, Mike

National Security Letters? We know the answer already: Demand a pledge that no NSL has been invoked. Failure to pledge is not an admission

This is called a "Warrant Canary". The NSA and chums are claiming that using a Warrant Canary is illegal and they have several lawsuits on-going to get an "official public" legal finding for this.

Warrant Canaries have been used by libraries and others where they regularly update the date on the canary. Once they stop updating the date the canary sings.

We have had no requests from the FBI/NSA since (date).

In some transparency reports, corporations are trying the following canary format. Once the number goes past 0 the canary sings.

Type of Request:

Section 215 None/0
EO 12333 None/0
NSL None/0

These are part of the on going legal suits and corporations are going to lose because claims that reporting this harms National Security and that trumps everything. New proposals will either make these types of reports illegal or actually prevent what ever is used as a trigger from firing. eg updating a number or requiring the dates be incremented to hide Gov activity.

afaik some/all/a few libraries have had to take down their warrant canaries too.

Ladar Levison wrote a few columns briefly discussing what it's like to receive one of these letters. They are pretty iron clad and going in any direction except the one the Gov wants results in a long stay in a very uncomfortable climate at an undesirable address.

DBMarch 21, 2015 6:13 PM

Obviously, as everyone else is saying here, this is all just worthless hot air by Cisco...

But, just for the sake of argument, let's consider what would happen if such dead drops really were effective at confusing targeted NSA interdiction! Well then, the NSA would simply have to "widen" their targeting, that's all. Very simple. So... you need to get a given router compromised during shipment? Just interdict every shipment within 300 miles of the target address....

This is what totalitarian regimes like the USA do when threatened, they go down white knuckling it, holding on tighter than ever before. Expect it.

MattMarch 21, 2015 10:51 PM

@JonKnowsNothing - lol. Public finding to prevent first amendment due to national security?

There may be a lot of hubris involved with the NSA, but prior restraint is not something the NSA is going to be able to stop.

bobMarch 23, 2015 3:20 PM

OK, we all agree NSA == Al Quaeda + $$$.

Dont write BRUCE about it, write your senators and congresspeeps. Get groups of people who DONT read this blog to do so also. Volunteer for a prez candidate who will close NSA and DHS and so forth.

hehMarch 24, 2015 1:39 AM

"I don't think we have even begun to understand the long-term damage the NSA has done to the US tech industry."

Since the Snowden stories started to break, I've been convinced that the NSA's antics have done incalculable long-term damage to the U.S. economy. Its going to take a long time to play out, but the rest of the world used to naively trust U.S. technology and now it doesn't, and there's no putting that genie back in the bottle. Looked at another way, their greed killed the golden goose.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.