

Full Disclosure: The Internet Dark Age [pdf] - ge0rg
http://www.politaia.org/wp-content/uploads/2013/12/Full-Disclosure-NSA-GCHQ-Hacks.pdf

======
bostik
I just read through the whole document and it felt like someone was narrating
a bad infomercial. It takes 30 pages for the document to get into the
technical bits and then the research (and mitigation!) methods feel somewhat
half-hearted.

1\. The "fix" is to log in to the system and _manually disable at runtime_ the
VLAN and firewall rules. Nothing is said about making the fixes permanent - as
if the authors have never experienced a wedged modem or router. Or had their
power go out. (Perhaps they assume everyone has an UPS in place.)

2\. The presence of extra VLAN is clear, that's true. I would have wanted to
see redacted traffic dumps from a controlled lab network, where the authors
actually show that the device attaches to a known VLAN. Right now we have
nothing but their inference about egress firewall going up shortly after
device boot.

It looks like a real deal. It's just presented in a way that puts me off. I'm
waiting for external confirmation and more technical data.

~~~
mindslight
From the terminal sessions, it seems like they're basically describing an IP
management interface for a unit that is presumed to be doing modem only (have
no IP), and characterizing things in the most sensationalist way possible.

Of course the default gateway is close - it's the next IP hop. If it's indeed
being used as a NSA/GCHQ backdoor, the actual attacker is at a different
address.

Traffic snooping is surely much easier to implement upstream, and your ISP is
indeed upstream of everywhere, despite what this paper alludes to.

As far as a branching off point for attacks on your network - given that this
seems to be a modem-only unit, there's still your router between it and your
local network. It seems that its attack surface remains the same as for a dumb
PPPoE translator.

edit: Actually they could be describing an entire modem+router combo, but an
error in saying the lan PC initiates its own "PPPoE" request threw me off. The
interfaces look like a multi-port router (in the one's I've seen, the CPU
usually has one ethernet interface which goes into the port of a vlan-capable
switch). Really, the lack of showing what the complete config looks like when
the user's PC is online makes it hard to see what they're actually getting at.

The only actual suspicious thing presented here is the specific 30/8 IP
address, and perhaps that has another explanation (address reuse?).
Independent verification is needed, but _definitely_ not using their flawed
"Method 2" which clearly changes your modem's complete setup :P.

------
keyme
I read the whole paper, and it doesn't at all look like the "real deal".

No actual evidence in the form of malware samples (after exploitation of the
netwrok), detected "duplicate" certificates or whatever is provided. Not even
network captures of any MITM traffic going to the hidden VLAN.

The only "evidence" provided was the presence of the hidden VLAN, which got
assigned some 30.x.x.x IPv4 addr via DHCP.

This could simply be some internal management VLAN of the ISP. As the author
had stated, the ISP installs updates remotely. So that's their way of
connecting to the router. Regardless of updates, ISPs always have a way of
managing their equipment remotely.

A WHOIS was performed by the author, and the address turns out to belong to
the DoD. Howerver, it's more likely that since this is a "private" VLAN, this
address has nothing to do with internet WHOIS records. It was just made up by
the ISP.

The authors getting a ping of 8ms to the NSA/GCHQ, is really just them talking
to some local server at their ISP.

Also the described attack on TOR seems completely wrong. No details were
provided, but the basic premise looks to be just wrong.

To conclude, this whole paper smells to me of sensationalism and confirmation
bias.

------
owenmarshall
A discussion of this paper came up a bit in reference to attacks on Tor. It
looks incredibly misguided.

[https://news.ycombinator.com/item?id=6887850](https://news.ycombinator.com/item?id=6887850)

[https://news.ycombinator.com/item?id=6888251](https://news.ycombinator.com/item?id=6888251)
\-- one of the better comments that explains what the authors probably thought
they were observing.

------
namenotrequired
You should probably append [pdf] to the title.

~~~
namenotrequired
Thanks!

------
billyjobob
Has this research been peer reviewed anywhere?

~~~
mschuster91
No big peer review needed - all it takes is a couple of people in GB taking a
look at what in blazes their routers are doing.

But to those of us who have heard/known of TR069, we knew that stuff like this
would eventually surface...

~~~
jamesbrownuhh
Small point. The devices called out by the authors are not routers, they are
MODEMS which are only installed on Fibre To The Cabinet installations. (These
modems are then connected, usually, to an ISP-supplied router such as the BT
Home Hub or whatever equivalent your ISP chooses to use.)

Fibre installs are by no means the majority or even the standard in the UK.
But obviously the general "don't trust your ISP router if you really think the
security services are after you" advice would seem to hold good no matter how
you're connected.

~~~
mschuster91
The basic points (TR069, remote-accessible backdoors for "configuration
changes" by the provider - greetings and my personal choice swear words to
Telefonica/O2 Germany here!) are still valid for DSL connections.

The router is _the_ perfect gateway into your private home network, especially
as Windows disables the firewall in a "home network"...

------
coopaq
Warning. This is a PDF download link.

~~~
Havoc
May I ask why this is a problem / requires a warning?

~~~
Torn
PDF renderers have been historically insecure due to the PDF format being a
complete mess

~~~
Havoc
I see. Thanks for explaining.

