

Hidden NSA/GCHQ VLAN in British Telecom Customer Routers - vxxzy
http://cryptome.org/2013/12/Full-Disclosure.pdf

======
kyboren
Can anybody independently verify this?

Is it possible it's just the authors' referenced "Unlocked Firmware Image for
Huawei HG612" which is backdoored?

~~~
duskwuff
The methods they describe to "confirm" the backdoor are simply silly. The ping
results observed are not indicative of anything in particular, and the
30.150.x.x network that they're observing connections to isn't even routed.
(BT is probably using 30/8 as a semi-private network space.)

~~~
kyboren
I also have my concerns with this.

Even if BT or GCHQ/NSA were altering routing tables, it doesn't really change
the threat model of "assume Internet connections will be MITM'd". It _does_
concern me that it appears inbound connections to LAN devices are unrestricted
from this hidden VLAN, potentially allowing the ISP or its agents direct
access inside most peoples' primary network security perimeter. But I suppose
this is really no more dangerous than the remote firmware "upgrade" facility
found in this and many other consumer network devices. Best practice is
certainly to run your own, separate, firewall and wireless AP built as much as
possible on trusted FLOSS.

In any case, despite claims that, "At this point the attacker has complete
control of the modem and your LAN, extra firewall rules are added the moment
the ptm1.301 VLAN device is enabled by the dhcpc command", they annoyingly did
not list those firewall rules.

I also do not think their claims of Tor subversion hold water. From what I
understand of Tor, directory information (including nodes' key fingerprints)
is ultimately verified by the hard-coded keys of very few "trusted" operators
of authoritative directory servers. So long as the Tor software isn't
compromised, no MITM, regardless of where it's effected, will be able to
subvert the user's circuit construction (of course, barring bugs in Tor and
exploits higher up in the software stack). At least, that's my understanding.

~~~
duskwuff
> Even if BT or GCHQ/NSA were altering routing tables...

Actually, speaking of that...

If BT, GCHQ, and/or the NSA needed to subvert traffic, they'd do it in BT's
core routers, in a central location outside customers' view. There's no reason
they'd do anything so complex, failure-prone, and, most importantly, _visible_
as diverting traffic on customer hardware.

