China Possibly Hacking US “Lawful Access” Backdoor

The Wall Street Journal is reporting that Chinese hackers (Salt Typhoon) penetrated the networks of US broadband providers, and might have accessed the backdoors that the federal government uses to execute court-authorized wiretap requests. Those backdoors have been mandated by law—CALEA—since 1994.

It’s a weird story. The first line of the article is: “A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers.” This implies that the attack wasn’t against the broadband providers directly, but against one of the intermediary companies that sit between the government CALEA requests and the broadband providers.

For years, the security community has pushed back against these backdoors, pointing out that the technical capability cannot differentiate between good guys and bad guys. And here is one more example of a backdoor access mechanism being targeted by the “wrong” eavesdroppers.

Other news stories.

Tags: , , , ,

Posted on October 8, 2024 at 7:00 AM27 Comments

Comments

Clive Robinson October 8, 2024 12:34 PM

Funny in a sad way but I used CALEA as an example of a bad idea put into legislation just a short time back.

The thing that most do not realise is that the actual “back door” does not need to be present, just the hooks for it in the system.

I doubt many remember back the twenty years to the Greek Olympics, but the main cellphone provider did Vodafone did not have the CALEA software installed in it’s equipment. But because the switches had it as a paid for option the low level hooks etc were in place in them.

The CIA/NSA used “the games” as an excuse to “check security”, and in the process a backdoor was dropped onto the hooks and more than a hundred senior Greek Government individuals had their phones put under surveillance, as well as some of their families and arabic business men.

For reasons not clear but incompetence by a CIA officer was indicated the backdoor was found. As an enquiry got under way and started to home in on events a phone company employee was found dead and he was blamed. Initially claimed to be a suicide it was later found to be murder with fingers pointed at the US.

The point everyone should remember is that when designing communications systems, you must design them in a way that backdoors are not only not possible but indicative behaviour will get flagged up quickly.

Otherwise on the sensible view expressed in Claude Shannon’s pithy maxim of,

“The enemy knows the system”[1],

the enemy will try to build an illicit backdoor in if you give them any crack to exploit.

Such “defensive engineering” to stop it is not something the vast majority of software and other systems developers understand and it’s long over due as an industry that ICT “Got it’s ‘sand’ together” on the matter.

Whilst E2EE when properly done –and it’s mostly not– can protect the “message contents” it does not protect much of anything else about the communications. That is the actual traffic meta-data and meta-meta-data allows not just “Traffic Analysis” but other forms of analysis and correlation by which information can be reasoned.

[1] Actually a rewording of Dutch Prof Auguste Kerckhoffs’s 2nd principle from the early 1880’s.

Who? October 8, 2024 12:40 PM

NOBUS at its best.

I hope some day one of these mandated-by-law backdoors will be used to make a truly destructive attack against U.S. critical infraestructures, so they start taking cybersecurity seriously and radically change their minds with relation to government backdoors.

I am sorry for being so harsh, but weakening computer and network (well… both are the same as the old Sun Microsystems slogan said, right?) security has nothing to do with cybersecurity. A secure computer is a secure device, secure against adversaries and secure against us too. I will say more, if NSA finds a vulnerability in a software project developed outside the United States, they should communicate the vulnerability to the developers of that software project too, at least if that software is used in the United States.

No one should play in the cybersecurity field by weakening the security of computer systems, at least not if they play in the “good guys” team.

Well, take this event as a warning note. I am not able to read an article behind a paywall, so I am unsure about what this attack means, but hope it will not be too difficult to fix. And, no, the fix is not changing the backdoor to a different one. The only acceptable fix is closing the backdoor forever.

Who? October 8, 2024 12:46 PM

Another point of view, this one from a non-paywalled source:

hxxps://www.securityweek.com/chinas-salt-typhoon-hacked-att-verizon-report/

There is no much information about this incident right now.

Clive Robinson October 8, 2024 1:15 PM

The story is unclear but people need to consider the following,

1, Many phone “back bones” are IP based networks.

2, The CALEA “back doors” are at the communications switches.

3, The Guard labour monitoring are nolonger munching down on doughnuts in a van, but sitting munching at office desks “somewhere”

4, The switches and guard labour are linked via existing –virtual–networking systems.

Thus this alleged attack may actually be on the virtual network that snakes across the US to the likes of FBI offices in any of the states, not just the state the CALEA “tee” is in place.

Oh on another “point of the minute that is “almost the same MO” but different industry…

It appears a water supply organisation is,

“Slamming the stable door, to the sound of distant hoof beats”…

https://www.reuters.com/technology/cybersecurity/water-utility-american-water-disconnects-computers-following-cybersecurity-2024-10-08/

As some know one of the first questions I ask is what the business case / rational is for a computer to be connected not just to the Internet but any external communications, and quite a few internal ones[1].

Well it appears if the question was asked –and it probably was not– then they did not act sensibly upon it,

‘In a statement on its webpage, American Water said it learned of “unauthorized activity” on its computer network on Oct. 3 and has since disconnected an unspecified number of systems “to protect our customers’ data and prevent any further harm to our environment.”‘

Better late than never?

I’ll let others decide…

[1] See industry standard security recommendations for “Industrial Control Systems”(ICS) that have been mandated in some jurisdictions since the mid 1990’s. Especially where utilities such as communications, power, gas/petrochem, water, sewage and river control are concerned.

Ray Dillinger October 8, 2024 1:16 PM

I wonder how many times this has happened. We will probably never know.

I wonder how large a fraction of the previous occurrences have been discovered. I’d bet a fairly small fraction of a large number, but we will probably never know.

Considering that the police and intel agencies are really profoundly committed to having CALEA access, police and intel agencies who discover it’s being abused wouldn’t want to make the public aware of the abuse. So we haven’t heard about such abuses before now. I wonder how this incident slipped through that conflict of interests to be reported to the public. But we will probably never know.

That’s the thing that really bugs me about the CALEA access. We know it can’t exist without getting used against us, illegally, by foreign actors and crooks. We know conflict of interest means the people who can find out that it has been used illegally have no motivation to tell us. So, how often does it happen? We will never know.

Francois Rabelais October 8, 2024 3:14 PM

“targeted by the “wrong” eavesdroppers” – you are of course referring to the federal government and it’s malign actors.

(cough)

Even the WSJ – that most reputable example of US regime stenography – stated that the group “might have accessed” – so this could be a boat load of nothing, and little more than typical China bashing from an ever predictable declining US regime.

But consider this: if, as a result of these alleged hacking activities, these backdoors – so decried by the security community – are brought to the attention to the public, and as a consequence are removed, then wouldn’t that be a good thing?

traced by IP October 8, 2024 5:20 PM

@Bruce said ‘ technical capability cannot differentiate between good guys and bad guys.”
Absolutely! There is no any bad or good technology which is neutral – application is not.

Clive Robinson October 8, 2024 6:28 PM

Hacking with a barbecue lighter

Not on topic, but there’s been no related Hardware Fault Injection hack pages for quite some time.

However this “fun” page popped up on my radar by accident and it’s something that people should get a feel for if not a good understanding. So,

https://www.da.vidbuchanan.co.uk/blog/dram-emfi.html

And remember kids, if you are going to try this at home, this involves “Hot work”. Which is where you can get both singed and emit your own “magic smoke” and I can assure you mostly it does not smell like barbecue but burnt hair, fingernails especially smell really rank.

Paul October 9, 2024 6:31 AM

Will law enforcement ever learn that ‘lawful access’ inevitably leads to un-lawful access?

4ndr34 October 9, 2024 7:48 AM

@Ray Dillinger – 100% agree.

Even if my comment is late for the party, this is definitely the tip of the iceberg.

And IMHO its impact is worldwide, at least for every western country, not just the USA.

Clive Robinson October 9, 2024 12:30 PM

@ Paul, ALL,

Re : Will they ever learn.

You ask,

“Will law enforcement ever learn…”

You can be sure they already know but care not a jot…

I’ve demonstrated proof of the fact E2EE will “if properly done” defeat any “lawful back door” including on device monitoring of the user “plaintext” interface so it’s a matter of “public record” the authorities are in in fact are telling lies..

Around a hundred years ago Upton Sinclair observed,

“It is difficult to get a man to understand something, when his salary depends on his not understanding it.”

So they are not going to change their song/behaviour any time soon.

But also “we the people” are a significant part of the problem in that,

1, People are lazy / like convenience.
2, Suffer from cognitive bias when told the same lie over and over it becomes a faux-truth of “belief not fact”.

It’s why the LE setups of EncroChat etc mobile phones just works over and over for law enforcement.

Technology might not be magic, though it might look like it to many. But getting the technical script / spell / recipe wrong will rapidly turn it into a very real curse to hang around your neck.

Clive Robinson October 9, 2024 3:45 PM

@ Bruce, ALL,

A bit off topic, but possibly related.

It would appear an “unknown” state level group has come up with two sets of “air gap crossing” malware in a relatively short period of time,

https://arstechnica.com/security/2024/10/two-never-before-seen-tools-from-same-group-infect-air-gapped-devices/

“The practice of air gapping is typically reserved for the most sensitive networks or devices connected to them, such as those used in systems for voting, industrial control, manufacturing, and power generation. A host of malware used in espionage hacking over the past 15 years (for instance, here and here) demonstrate that air gapping isn’t a foolproof protection. It nonetheless forces threat groups to expend significant resources that are likely obtainable only by nation-states with superior technical acumen and unlimited budgets.”

Long term readers will know that I developed airgap-crossing PoC code quite some years ago vack vefore stuxnet was found. I designed it as PoC to be “fire and forget” to attack voting machines and outlined how it could be done.

Now I would be the first to say I’ve neither “nation-state” affiliation any longer, nor do I have an “unlimited budget”. As for “technical acumen” well there are certainly a lot smarter people around than me. My only advantages are a life time of curiosity an ability to see weaknesses in systems and the happy ability to program on the silicon side of the ISA in the computing stack not the other side of the “great divide” that high level languages like C and above stack up. Oh and a professional lifetime of embedded system design/programming.

Which is why years ago I pointed out that “air-gaps” are really insufficient, and proved the point with a weekend spent making an “acoustic network link” based on SLIP using standard parts I had in the old bits box. Hence proving that BadBIOS was more than possible.

Which is why I talk about “energy-gapping” as being the minimum people should aim for not “air-gapping”. Since then a couple of times a year a University in Israel “re-boils some cabbage” and produces a paper that is a variation PoC of things long explained on this blog… So is it actually as difficult to do as the author of the article claims?

But “gap-crossing” is an essential requirement for the use of computers in the modern world. I’ve pointed out just how easy it is to get it wrong, and using USB drives is about the most insecure way possible…

To understand why you need to understand a little about the hardware and the way modern Commercial and Consumer OS’s work.

First off a USB drive is an “embedded” often multi-cpu computer in it’s own right. As Russian gangs have demonstrated re-programming them whilst not trivial is by no means genius level work or knowledge.

The other thing you need to understand is that when you plug a USB memory device into a computer with a commercial or consumer OS on it, what it does “fingerprints the OS” to the USB drive. Worse the various stages of the OS interrogation and use of the USB drive are easy to spot.

Further remember your USB Drive might look like a single device in your hand, but the software on it and in the OS can have multiple devices etc (see BadUSB that also looked like a keyboard to the computers OS).

Not much talked about but the software on the USB device 100% decides not just what the computer OS sees but when. Thus hiding hidden storage away from anti-virus scanning and similar is something that is not that difficult to do…

Having done it as PoC back before stuxnet for both installing malware and exfiltrating files out of the sight of AV software and similar… I have been telling people that using USB devices is definitely not the way to do gap-crossing…

So here we are with people getting bitten by the use of USB Memory devices for gap crossing…

Realistically do readers here think people will stop doing it, or just pretend their other measures are sufficient to stop BadUSB and similar happening?

Answers on a postcard to “We are secure because a vendor says so” care of an axis of evil embassy near you.

(Hope the sarcasm comes through there 😉

Who? October 10, 2024 6:10 AM

@ Clive Robinson

But “gap-crossing” is an essential requirement for the use of computers in the modern world. I’ve pointed out just how easy it is to get it wrong, and using USB drives is about the most insecure way possible…

Not really, think on the way USB drives are managed by, let us say, OpenBSD. USBs are not the problem, the operating system is. USB drives should never be automatically mounted, not to say any of its content automatically executed by the underlying operating system.

Another issue is the format of files shared between air/energy gapped systems and the outside world. If you truly need security use auditable –text-only based– files to transfer information; never use complex formats that can hide macros or can exploit a bug in the software that should read them.

Who? October 10, 2024 6:15 AM

@ ALL

How can we know if a networking device is CALEA-compliant? I see no obvious way to know it and there are some devices that may be in a “gray zone” such as network switches, firewalls and other appliances that can be used by telecommunication operators, other business and even individuals. Even computers and commercial operating systems may be a target for CALEA, as they are used by telcos too.

I have not found a list of CALEA-compliant devices, nor a list of device types that should support government-mandated backdoors.

lurker October 11, 2024 12:10 AM

@Who?
If I rolled my own firewall/router on OpenBSD, I wouldn’t give tuppence for CALEA because I’m not a US citizen, and not resident in USA (or subservient territories).
But if you are subject to CALEA then perhaps Kafka or Gogol might have a solution for you . . .

From elsewhere, is this history repeating itself?
‘https://www.schneier.com/blog/archives/2009/11/denial-of-servi.html
‘http://news.bbc.co.uk/2/hi/technology/8094026.stm

Who? October 11, 2024 7:06 PM

@ lurker,

If I rolled my own firewall/router on OpenBSD, I wouldn’t give tuppence for CALEA because I’m not a US citizen, and not resident in USA (or subservient territories).

Not entirely true, I fear. In a perfect, mathematical, world U.S. manufacturers (or any non-U.S. manufacturer that wants to make business in the United States) would have two firmware sets for their devices: one targeted to the U.S. market (with the government-imposed backdoor) and another one targeted to foreign business.

Under this scenario, U.S. corporations, and perhaps citizens too, must use the CALEA-ready firmware flavours, while the rest of the world should use the safer, non-CALEA enabled, alternatives. The key here is that CALEA is a U.S.-only law, other countries are not under this abusive mandatory security-weakening law.

The world, however, does not work in this way: there is only one set of firmware flavours available, so the entire world will run under the CALEA-enabled one. At least when their devices come from a U.S.-based manufacturer.

Remember what happened with the interception by the NSA of mobile phones belonging to
high-level government officials in Greece after 2004 Olympic Games, using CALEA software installed on the Ericsson network switches. Worse is than Ericsson is not even a United States corporation, it is a Swedish multinational.

The real problem with the United States is that it rules with legislations as CALEA, that are automatically applied to the rest of the world without them even having a chance to vote them down.

sratliff October 11, 2024 8:05 PM

@ Who?

USB drives should never be automatically mounted

Although I agree, I’m doubtful it can make any difference to security. After all, why would someone plug a drive in, other than to mount it? So it’d just be delaying the (nearly) inevitable.

Are the OpenBSD developers using any interesting techniques to make their filesystem drivers more secure? I know they have a reputation for security, but last I looked, there wasn’t anything all that advanced; for example, they weren’t using any kind of unprivileged execution mode or sandbox for drivers. Nor am I aware of any hardening to deal with “smart” devices pretending to be USB flash drives, that in actuality can spontaneously mutate their data; that’s apparently an effective way to break a lot of filesystem code (in general, if not on OpenBSD).

How can we know if a networking device is CALEA-compliant?

Are you asking because you’re selling or considering selling telecommunications services that might be subject to CALEA? If not, is there some other reason to care?

My guess is that anything “smart” or “managed” could be used for CALEA compliance, although I don’t believe the devices themselves need to have any special certification. If they don’t provide something like port mirroring, but they accept firmware updates, “someone” could probably add the necessary feature—as Clive mentioned was done in Greece. With dumber devices than that, there’s still an upstream point where data could be tapped—even if only by some cheesy method such as BGP spoofing or manual routing table tweaks.

Clive Robinson October 13, 2024 12:08 AM

@ folks,

There appears to be a bit of confusion over CALEA and where it has to be placed in a comms network.

The requirement originally was for “circuit switching” systems –that the phone system still was back last century– to be in the equivalent of the “Central Office” switch not in the “On Premises” equipment (so those subject to eavesdropping were “unaware”).

In “packet switching” networks like the IP system that forms “the internet”, that translates to the first “upstream router” –at the service provider– from the customer “gateway”.

The reality is a bit more confusing because if you look at the four layer DOD stack the IP layer sits on top of a “physical layer” that could be anything including X25 and later “Asynchronous Transfer Mode”(ATM) or even more interesting lower level unreliable systems via RF[1]

The thing about both X25 and ATM is they could pipe around the world as switched circuits forming virtual leased lines but to the IP layer just look like a physical four-wire circuit. With only latency giving a clue as to circuit distance and that’s not accurate due to things like node buffering.

[1] There were easy RF links using troposcatter or satellite using “Forward Error Correction”(FEC) due to long latency, low bandwidth or both where back in the 1980’s. You’d just “plug in a box” from the likes of Plesse or Imarsat. But back in the early 1980’s I even designed and manufactured systems used by HF links that “skip” off of the ionosphere using a horrendous 3 char protocol called SITOR that has a 3 character transmission window –it takes ITU ITA2 5bit characters recodes them as CCIR 476 7bit characters to get a 3:4 code with a Hamming distance of 2– in “Automatic Repeat reQuest”(ARQ) SITOR/A or double send FEC SITOR/B in space diversity to work 100baud or less for “long haul”.

Who? October 13, 2024 2:23 PM

@ sratliff

On OpenBSD you cannot mount USB storage devices, without having elevated privileges, by default. This is a first security layer: if you can mount a USB drive then you have some responsability on the management of the affected system. It will never automatically execute binaries/scripts on the removable storage media either. Not perfect, as you say OpenBSD lacks sandboxing of drivers (as any other Unix-like operating system I am aware of). USB rubber ducky devices are challenging, but I can hardly imagine a way to stop this attack. I guess these devices inject keystrokes before being mounted, so I guess these keystrokes will hopefully happen at an unprivileged level.

You are right Clive mentioned the Greece incident at the beginning of this thread; I quickly read the posts and missed it, but for some reason my brain started thinking on the interception of phone calls by the NSA incident that was published two years after it happening. I read for as many details as possible at that time, not much be found but enough to consider CALEA a dangerous path. It is a good example of how rules voted on a country may have a huge impact on countries that will never allow them to happen, and without having a chance to vote down these rules before being approved.

Who? October 13, 2024 2:44 PM

@ Clive Robinson

Indeed, CALEA is intended to be deployed at the core of communication networks. I worked a few times over X.25 networks before moving to the Internet in 1993.

I agree with you, as a difference to the OSI seven-layers model the DoD model lacks a description for the physical layer. The “network access” layer on this model combines the functionality of the two lower layers on the OSI model. I do not see a problem here.

What really worries me is CALEA imposing not only the ability to redirect/monitor traffic on the core network systems, but also the ability to modify these systems remotely (obviously it was done by chinese hackers[*]). I doubt they will stop here, it is not just a matter of changing routing tables or enabling ports on a switch to listen on traffic coming from other ports, I fear they will enable these technologies directly on firmware (let us say Intel ME/AMT). It is a key process to allow these switches being modified to listen on network traffic.

One can build a firewall, router, or VPN server using CALEA-free operating systems like OpenBSD, but it is difficult to ignore that firmware is a great place to implement a CALEA-style backdoor. So I choose machines that lack Intel ME/AMT and System Management Mode (SMM) as the foundation to build systems exposed directly to the Internet.

This one is the very reason I am worried: CALEA in no more a US-only matter, in fact, it never was; countries that never approved CALEA[†] are now victims of this deliberate weakening process for network security.

[*] how ugly sounds to me using the term hacker in this way when it was in the beginning an honorable title applied to people that just want to get the best of technology.
[†] as happened to Greece in 2004.

Kowalski October 17, 2024 8:37 PM

This brought back memories of the Firewalla Gold firewall unit I purchased a year ago. I bought a new PC a few months ago and decided to install the Kaspersky web security application on it (weeks before Kaspersky stopped selling subscriptions in US). The Kaspersky AV was quite thorough and frequently initiated network scans for open ports, seemingly from Kaspersky’s own servers.

One recurring finding of those scans was that the WAN side of Firewalla side was listening on port 22. Not sure if this is related to CALEA, but wouldn’t surprise me if it was.

Clive Robinson October 18, 2024 4:26 PM

@ Who?

Re : China tells US to cease and desist…

You observe a well voiced by US Gov point of,

“What really worries me is CALEA imposing not only the ability to redirect/monitor traffic on the core network systems, but also the ability to modify these systems remotely (obviously it was done by chinese hackers[*])”

It appears the Chinese are agrieved by the US Gov NSA etc backdooring the systems China uses,

https://www.theregister.com/2024/10/16/china_intel_chip_security/

Not exactly “news” as China has baned quite a bit of US kit from their core systems some years ago having caught the NSA et al “at it” and having it confirmed by the Ed Snowden revelations.

But… Of course this has all boiled up again very recently because Big US Corps won’t clean up the mess for some “unstated reason” we are supposed to think is just multiple cases of incompetance[1],

https://www.theregister.com/2024/10/18/spectre_problems_continue_amd_intel/

Obviously it’s that “special type of incompetence” or so China claims 😉

[1] In a way it is incompetence, but not in others if you look up on this site “xmas gift that keeps” giving and “go faster stripes” you will see I’ve not just explained why “specmanship” is behind it, but also that it would last another half to a full decade for them to sort it out. None of them have really attempted to sorted it out which is why we are still seeing these issues coming up and probably will do for another decade or so, if not longer. It’s one of the reasons I say that Personal Computers should not just be connected to external communications, or internal networks where external communications are possible. That is there should be a solid business case with solid security methods applied. Not doing so is one of the reasons the Whitehouse is having thoughts on effectively making ransomware reimbursement insurance payouts not legal,

https://www.theregister.com/2024/10/14/ransomware_insurance_ban/

Moz November 4, 2024 8:04 AM

Washington post op-ed which claims that this has affected members of both Trump and Harris campaigns and so consequences of this may even include effective election interference

https://www.washingtonpost.com/opinions/2024/11/02/china-spying-telecom-trump-harris-fbi-cell-phone/

found via

https://news.slashdot.org/story/24/11/03/1953214/millions-of-us-cellphones-could-be-vulnerable-to-chinese-government-surveillance

I guess at least this proves that the people that said “the politicians don’t care because it doesn’t affect them” were wrong. They don’t care even when it affects them.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.