
Cisco routers in at least 4 countries infected by highly stealthy backdoor - Deinos
http://arstechnica.com/security/2015/09/attackers-install-highly-stealthy-backdoors-in-cisco-routers/
======
snowy
So it requires a Cisco router that has a default username and password, and
the router has to not have any kind of input firewall for its SSH.

Then you log in and install a patched firmware containing your backdoor.

It's hardly Cisco specific. Surely any router (or any device for that
matter)that has a known default username and password can be exploited in this
way?

Am I missing something here?

~~~
georgerobinson
Can anyone explain how something so basic as changing the default password is
left out? Do enterprise routers, such as Cisco's, have web-based management
interfaces or must everything be provisioned either manually over SSH or via
some other provisioning software?

~~~
cnvogel
So, I worked at an internet provider up to several years ago, and we were
using quite a lot of Cisco routers. Maybe something has radically changed, but
I'd be surprised. Please someone correct me if that's now totally different.

A cisco router with a blank config will come up with all interfaces configured
"shutdown" and with no passwords set. You access it via a serial port on the
front, labeled "Console". It provides a command line almost, but not quite,
entirely unlike a unix shell :-) where you enter commands (ping, show routing
tables, ..) or configuration statements (config terminal // Interface
FastEthernet 0/0 // ip address 10.1.1.1... // no shutdown).

If the only thing you do is to give it an ip-adddress on an interface and
enable it, it will have a passwordless login via telnet.

Every ISP/network department not run by complete imbeciles will have a
"standard config" regarding login and passwords: Ours back in the days was a
TACACS server for running user authentication, setting access levels for
particular users (and automated logins for configuration management) and
logging of logins/executed commands. You can also configure access lists that
logins are only allowed from specific IP addresses. Probably also have a
hardcoded password as fallback when the authentication server isn't reachable,
disable the console port for when your router isn't in a locked box, ...

------
turk-
hmm I wonder who could be doing this.

[https://www.techdirt.com/articles/20140518/17433327281/cisco...](https://www.techdirt.com/articles/20140518/17433327281/cisco-
goes-straight-to-president-to-complain-about-nsa-intercepting-its-
hardware.shtml)

~~~
dguido
Probably not: "The initial infection doesn't appear to exploit any
vulnerabilities in Cisco devices. Rather, attackers seem to be taking
advantage of routers that use passwords that are factory default or are
somehow otherwise known."

~~~
oconnore
This rhetoric of casually discounting the possibility of government breaches
in commercial networks might have sounded insightful and worldly several years
ago. Now it just seems ignorant.

The person you were responding to had no evidence to back their claim (in this
particular instance), but neither do you.

~~~
tptacek
Quoting facts from a story that rebut someone's theory isn't "rhetoric of
casually discounting", even if you don't like where those facts take us.

~~~
kbenson
I don't know, I think it could be seen as that if the facts quoted do not
support the position they were used to bolster.

~~~
tptacek
I don't think so. Maybe you could point out the part of the comment I replied
to that supports that argument?

~~~
kbenson
I don't think how "easy" or low-tech the infection method is really points one
way or another towards whether it was a government agency, whether it be the
NSA or some other, or not. Using such a fact, whether it be from the story or
not, does not strongly indicate to me, and I do not think it should strongly
indicate to others, that this was or was not the NSA. I can see that as
"rhetoric of casually discounting".

I'm not particularly a fan of the comment in question, it was a bit
confrontational for my taste, but I also think evidence in support of a
position should be relevant, and I view this evidence as only loosely
relevant, if that, to the stated position. Whether it's from the source
article or not is besides the (or at least _my_ ) point in this case.

If someone were to make a persuasive argument that the initial method of
infection actually mattered to the NSA (which I haven't seen yet), I might
change my position.

------
_wmd
FWIW IOS backdoors were already being researched by 2003, this isn't
surprising at all, and I imagine by now the true scope of the problem is a
little bigger than a few routers

~~~
sslalready
> FWIW IOS backdoors were already being researched by 2003 [...]

I recall there was a Swede (the grue?) on the Pull the Plug IRC network who
was cross-compiling and linking in backdoored object code in Cisco IOS images
already back in 2000.

------
acd
This is why your routers should run open source software. At least then you
can reinstall it and be reasonably assured it does not have malware.

Also we need an inventory of where things can be hidden in devices. Are there
embedded flash areas where are they?

A modern reinstall should:

1) Reinstall the operating system from a known good source 2) Flash all
firmware and flash chips with known good code.

Both operating system and firmware should be open source so you can inspect
the code.

~~~
snowy
Routers used by most networks are proprietary boxes from specific vendors.
There is no such thing as open source software for them.

I do not know of an open source router hardware that is available (at ISP
scale)

Getting an X86 box and throwing freebsd and quagga on it might work for small
amounts of traffic. But for ISP scale bandwidth your stuck with a few main
vendors...

~~~
rsync
"I do not know of an open source router hardware that is available (at ISP
scale)"

You're basically correct but it's worth remembering that it _is_ possible to
add a bunch of quad nics to whitebox and run bpf on it, courtesy of one of the
BSDs and do real routing at an ISP scale.

That would be completely open source (and quite secure).

Probably pretty performant if you knew what you were doing.

~~~
snowy
yep, but you are never going to get a generic processor architecture to have
anywhere near the performance of custom silicon ASICs designed for
specifically for routing packets. No matter what software you put on top of
it.

Its never going to work in a core network routing 100s of gigs of traffic. So
it's not going to work for ISPs

------
eyeareque
First, I don't think this is the NSA. It is far to sloppy for something like
this. You probably wouldn't be able to detect them so easily. It is possible
to be from another nation state though, or smart attacker. Also, we know that
the NSA tries to cover their tracks: [http://arstechnica.com/tech-
policy/2014/08/snowden-the-nsa-n...](http://arstechnica.com/tech-
policy/2014/08/snowden-the-nsa-not-assad-took-syria-off-the-internet-in-2012/)
"Instead, the TAO’s hackers “bricked” the router, Snowden said. He described
the event as an “oh shit” moment, as the TAO operations center team tried to
repair the router and cover their tracks, to no avail."

What I am confused about is that I assumed IOS images were signed. How are
people creating backdoored IOS images without failing signature checking?
Maybe they patched rommon?

------
tamersalama
Why is a country relevant in this context?

~~~
malfist
Because it's likely a state did this.

> In an interview with Reuters, FireEye CEO Dave DeWalt said, "That feat is
> only able to be obtained by a handful of nation-state actors." In any event,
> there's no doubt that the devices were infected by a professionally
> developed and fully featured backdoor.

~~~
pyvpx
this presentation says as much, but the techniques have been widely known
for...ever. yes, most likely the only group with the will power and means is a
government, but it certainly doesn't _have_ to be.

[http://www.phenoelit.org/stuff/FX_Phenoelit_25c3_Cisco_IOS.p...](http://www.phenoelit.org/stuff/FX_Phenoelit_25c3_Cisco_IOS.pdf)

------
horchata
So FireEye posted the original article. Anyone surprised?

------
happyscrappy
>The initial infection doesn't appear to exploit any vulnerabilities in Cisco
devices. Rather, attackers seem to be taking advantage of routers that use
passwords that are factory default

~~~
Beltiras
I'm waiting for a hardware feature that prompts the setup administrator for
credentials upon factory reset boot (preferably an SSH key rather than a
password) and doesn't function till properly secured.

------
mtgx
Whoever trusts Cisco at this point are living in la-la land where they refuse
to acknowledge the _reality_ that Cisco has been helping governments build
surveillance capabilities into its routers to spy on its customers.

Whatever negative impact this has on their own business is fully deserved at
this point.

~~~
mindcrime
The problem is, how do you know who you _can_ trust? I mean, really, you
can't, as long as network devices are closed source, proprietary black boxes.
Right now I have no particular reason to think Juniper or anybody else ship
routers that are less likely to be exploited or back-doored, relative to
Cisco.

Yet one more reason to say that rms right was right all along.

~~~
imglorp
Plenty of sites can replace a black box router with a plain linux or bsd box
with a couple of good network cards and some iptables/ipfw rules. That solves
a number of issues right there.

~~~
amyjess
Of course, if you were _really_ paranoid, you'd worry that somebody
intercepted your Linux box's motherboard as it was being shipped to you so
they could install a backdoor in the BIOS or EFI...

~~~
rndmind
If you felt that way, you could configure a read-only filesystem once it is
setup. Not a terribly complex solution.

~~~
monocasa
How would that protect against an EFI or BIOS backdoor?

