The link goes to the press release. The actual advisory (https://www.cisa.gov/news-events/cybersecurity-advisories/aa...), linked from the press release, contains quite a bit more detail. They detail how they have observed Cisco routers being backdoored but don't limit the issue to that manufacturer.
>BlackTech actors bypass the router's built-in security features by first installing older legitimate firmware [T1601.002] that they then modify in memory to allow the installation of a modified, unsigned bootloader and modified, unsigned firmware [T1601.001].
I wonder how best to handle this kind of downgrade attack. Is reverting to an older firmware version an intended, supported feature? If so, I assume it's present in case the customer has a problem with the latest firmware and they want to revert. Maybe it makes sense to implement some restrictions on reversions -- e.g. they can only be done with physical access to the device, and it becomes impossible after an upgrade has been in place for 1 month say.
The focus on international subsidiaries was very interesting to me. I wonder what, specifically, it is about a subsidiary that makes it a softer target. Perhaps it's easier to gain physical access to a subsidiary office.
Just do what game consoles do: add hardware fuses that are expected to be blown depending on the version, and have the bootloader verify the number of fuses blown on boot. Then the device becomes a brick if it tries to boot an older firmware.
>Advisory helps organizations protect against PRC-linked actors hiding in router firmware
The most popular router brand is TP-Link which is a Chinese Brand. Both Eero and Nest from Amazon to Google aren't available worldwide. Netgear and Linksys has poor Firmware update frequency. That is pretty much left with ASUS which I have a decade old unfix bug with my ISP that randomly fails to get new IP.
I only wish Apple would come back with new AirPort Extreme.
For select small/home plastic routers, there's always OpenWrt.
OpenWrt is generally more trustworthy than the stock firmware, but I wouldn't expect any of these solutions to keep out a state actor, nor even a script kiddie with a lot of time on their hands. Trust level is more like not having a known stock firmware botnet motel, and maybe keeping some cruddy US IoT products on their own VLAN.
If a SoC has a co-processor with proprietary firmware, potentially for things like security, remote management, bringing up the main CPU, etc, peripherals with proprietary firmware, potentially with DMA access, or firmware operating at ring -2/-3, they can sidestep OpenWRT and you wouldn't even know it from the OpenWRT side of things.
But... How do you know that's not back doored as well? I would just assume that everything is back doored or has a zero day until proven otherwise. And yes, how do you prove a negative? I refer you back to my first point.
Everyone's throwing out suggestions, so I'll say what I've found to work well after years of sampling the options.
pfSense box + Ruckus WAP
I went with a Netgate SG-1100 and am happy with it for 200/100 WAN. I have a Ruckus R610 (used on ebay for $100) that gets regular Unleashed firmware updates and is far and away the best WAP I have ever owned.
We have photographic evidence of the NSA intercepting Cisco routers. I'm not sure the country of origin matters if you have a red spot painted on your back.
What's being proposed here - as an alternative solution to mass-produced Chinese equipment of unknown trustworthiness - is to purchase different mass-produced Chinese equipment of unknown trustworthiness.
Your example of highly-targeted physical interception by state-level actors is irrelevant here.
You are really bringing your own OS here. The nanopi can run mainline linux and u-boot[0]. If you suspect an Intel ME-style component with ring -3 access, it should show up in the initialization sequence - there are no blobs here. Features like these are not cheap to implement, especially when Chinese vendors are so keen on cutting costs.
Essentially, this means that there is zero risk, unless you are a target, at which point any unintentional hardware bug caused by the aforementioned corner-cutting will become a concern.
How do you guarantee there isn't some logic flashed onto the chip that overrides the bootloader sequence?
btw, I asked about this 5 months ago [0] and got some interesting replies. I ended up purchasing a PCEngines board (just before they went out of business)
From what I've seen, networking peripherals you can attach to a Pi via USB, or whatever, can't really compete with networking peripherals in routers that are integrated on SoCs/SoMs.
I figure people are using them for router things, like using it as a wireless AP and switch, and the hardware available for those use cases usually fall short of what's available on router SoCs.
I'm scratching my head as to why I don't hear about more people running Raspberry Pis as APs off the built-in WiFi for smaller (in terms of number of clients) networks.
I chucked up hostapd on Debian at one point and was surprised to see how good coverage it got. Outperformed devices in higher price-range without even attaching an antenna.
Same here Unifi isn’t perfect but I still prefer the single pane of glass view with Unifi and Protect. My biggest gripes are silly defaults they cause massive issues with 2.4g devices and subpar outdoor cameras and doorbells that fail after 1-2 years.
If you are like me and don't want to keep messing with the router, then Firewalla Gold 1Gb [1] or Gold Plus 2.5Gb [2] should be good for a home router.
Docker can also be used.
Don't get the SE or other cheaper versions, they use ARM chips. Gold/Gold Plus use x86.
They have a default configuration applied when they are first powered on after a reset which includes wan, lan and nat setup. Possibly some basic firewall setup though I cant recall.
The UDM SE has a bug where if you max out 1 Gbps for a bit, at some point the WAN interface is going to crash and you have to either 1) restart, 2) unplug and replugin the cable, 3) restart the interface the WAN port was on.
This bug has existed for over a year, with no fix in sight.
Unifi's quality is dropping day by day. I'm convinced they don't use their own networking tools.
One simple reason is that there are 2 Chinas, but only 1 Japan. The specificity adds clarity, especially with a global audience. It’s very hard to misinterpret “PRC”, while “Chinese” is more ambiguous. And obviously you want to be more careful with negative statements like “Chinese Hackers” than positive ones like “Japanese (state) Partners.
Why are they not equally 'careful' here? Why are they not using the country's "official" names such as IRI (Islamic Republic of Iran) or RF (Russian Federation)?
Note that I'm not even going into the rabbit hole of "PRC-Linked" vs "Iranian Government-Sponsored" -- although that is perfectly worth questioning also, because if you go into the actual article on Iran, they weasel out by saying "likely Iranian government-sponsored APT", whereas here it's only "PRC-linked" because we do not know for sure.
"The United States has a longstanding one China policy, which is guided by the Taiwan Relations Act, the three U.S.-China Joint Communiques, and the Six Assurances."
Completely uneducated here but it would make most sense if there’s a press line running for separating out the PRC from other “Chinas” out there which are better aligned with American geopolitical interests. (Or, at least, to illustrate such a perspective to the public at large)
If it were part of the lingua franca, "PRC" would be as easily recognizable as saying "US" or even "NZ" -- on the street or in the boardroom. Do you really think that is the case?
Where was Russias great cyber warfare teams? They wouldn't have held back against consumer devices.
From what I've read western agencies helped Ukraine and the cyber efforts were mostly neutered.
It's one thing to be a random org in peace time but in war the deep penetration into Chinese networks will have exposed plenty of Chinese efforts not yet disrupted and all that was super secret and careful before turns into open warfare.
So it's not like the west is going in blind. The US spends mountains on this stuff, not including the mass of western commercial infosec companies tracking these critical "threat groups" as their business model. NSA is huge as it is and who knows how many federal and DOD agencies have cyber mandates these days.
All systems are inherently vulnerable but some mass back doors in routers has been speculated to death by people way smarter than me and most I've read is that the risk is largely over stated to the civilian population. The router doomsday scenarios are always super hand wavvy in the details.
Are you really arguing about ~$5mil a month in drones? Thats around the cost of ONE PATRIOT interceptor or 5 HIMARS salvos. Its not going poof, its splattering invaders.
If you really want to get outraged by something read about russians behind Lancet suicide drones https://www.sensusq.com/blog/sensusq-analysis-on-the-zala-42... Son of the de facto owner/ceo of the company currently works at UN Institute for Disarmament Research (UNIDIR) in Geneva.
Oryx has been proven to be providing false numbers well over a dozen times, including in the pentagon documents.
Re: Ukraine claims - is that the one where they claimed to have destroyed 4,700 tanks out of 3,500?
MediaZona, an organization run by strongly anti-Putin, pro-Ukraine owners in partnership with the BBC, is going to be the most accurate casualty information you can actually get: https://en.zona.media/article/2022/05/11/casualties_eng
And please, enlighten me: how exactly are they taking that many tank losses when they’re literally dug in, not moving, and have pulled the tanks back? They don’t even have to fight, the Ukrainians are doing a fine job tripping every land mine in the region by themselves.
> Oryx has been proven to be providing false numbers well over a dozen times, including in the pentagon documents.
Oryx literally counts visually documented losses on both sides it’s likely to be a lower bound with rather large confidence on both sides of the conflict.
But it’s still a lower bound.
How is that “proven to be false”.
> MediaZona, an organization run by strongly anti-Putin, pro-Ukraine owners in partnership with the BBC, is going to be the most accurate casualty information you can actually get: https://en.zona.media/article/2022/05/11/casualties_eng
But those numbers are very different to the pentagon documents, so they must be false right?.
> And please, enlighten me: how exactly are they taking that many tank losses when they’re literally dug in, not moving, and have pulled the tanks back? They don’t even have to fight, the Ukrainians are doing a fine job tripping every land mine in the region by themselves.
Because Russia isn’t dug in and not moving they are constantly trying to counter attack.
Not only that dug in tanks and tanks behind the front line are still vulnerable to drone borne weapons which are very popular in this war.
> Where was Russias great cyber warfare teams? They wouldn't have held back against consumer devices.
The difference is that we’re fighting a proxy war with Russia over Ukraine. With Taiwan, it will be a direct war due to the security guarantees we have given Taiwan.
> Where was Russias great cyber warfare teams? They wouldn't have held back against consumer devices.
I don't think their goal has ever been sabotage as much as it has been intelligence gathering, but I suspect a lot of their efforts have gone underreported.
Russia did successfully brick thousands of consumer satellite modems to disrupt communications in the opening hours of the Ukraine campaign. Everybody reported on Elon Musk swooping in and playing savior, but they acted like he's the first person to bring satellite service to Ukraine and neglected to mention incumbent ISPs' devices operating in the area had been destroyed in targeted cyberattacks (later, Russia went low-tech and just started lobbing artillery at ground stations).
Because of this oversight, nobody really understood why he pulled the service from the front lines-- he saw what Russia was capable of and didn't want Starlink to become a military target itself.
It's always Cisco routers. The question might be naïve, but are Cisco routers inherently insecure at this point?
I know Cisco is also the biggest target and it's obvious that consumer routers are less secure, but at this point the amount of backdoors in Cisco routers raises the question if there is another player that has better security.
Honest question: Is it just selective awareness or are Cisco routers not the best option when it comes to security (for higher profile targets)?
The development processes behind Cisco seem to be they do have some great R&D teams in the US, but they outsource the shit out of software development overseas and the quality of work is dubious.
Pepperidge farm remembers when Cisco's fix to a remote code execution CVE on routers was to check for the default `curl` user agent
Cisco did do a good job burying that in search results though, got to give them props, if it isn't stealing material from blackhat presenters by force physically, it's buying PR.
It was a bit of hyperbole. However Cisco is very often mentioned in the context of found exploits if you look for example on The Register or similar IT news and subjectively even more than any other brand. Even if I am totally right about this, it still doesn't mean much in and of itself, so I asked.
Cisco has poor software quality and control when it comes to IOS (Cisco OS not Apple's iOS) implementation that differs based on the end client or customer using their networking devices. This includes small/medium companies, universities, Large enterprise, Internet service providers, Data center, network storage...etc.
Each of the previously mentioned groups have their own implementation and licenses for specific IOS version running inside the network device (whether a Firewall, Router, Switch, or Switch with routing capabilities...etc). It has been long known that Cisco's poor software is due to the hundreds of modules/features they try to support on these devices (you never know which device will receive updates and for how long).
System administrators/Network Engineers alike always complain about the poor quality of Cisco's Software[1][2]
I think Cisco has the highest marketshare in terms of commercial routers, and probably a higher percentage of use in areas that might be of state actor interest. If you have a WatchGuard for example there may be the same amount of vulnerabilities but less incentive to find them, and less people looking for breaches after the fact.
For something like this - the NSA and FBI have been trying to gain industry trust by releasing these advisories. The NSA at least has publicly admitted to this being one of the big reasons they do so given they've not managed to regain trust post-Snowden.
They have no incentive to lie here.
But see this for what it is: An attempt at gaining trust so more people will voluntarily work with them and give them data.
I do not understand your position. "The trust they gain from making this unsourced claim is a clear benefit, so they have no incentive to lie about it." Wouldn't the gained trust be an incentive?
You could argue if they lied the incentive wouldn't be worth the risk, but proving they lied about this would be difficult and that's a seperate argument from the one you made.
I am arguing the incentive to lie isn't worth the risk in this case.
And they're not likely to give sources because of the whole "protecting sources and methods" bias they have to not reveal how they know what they know.
I'm making an argument about their motive here. The damage they'd face from lying is great (what if another leak comes out? What if a backdoor is found in the patch communicating with NSA infrastructure?) and the possible benefit relatively small.
These people lie professionally. It is their job to conceal and misrepresent their activities. They've lied to everyone already at some point. They certainly lie to people outside the US, they've lied to people in the US, they've lied to their oversight committees in Congress and they've lied to the president. It seems likely they're lying to each other for office politics reasons.
How are they supposed to take damage from lying? They have no credibility to lose. The NSA Wikipedia page takes a while to scroll through and is a saga of backdoors and skullduggery. "Spies lied, news at 11" will read the headline. I'm not saying this specific thing is true or not, what do I know. But if it turned out to be a lie, who could claim to be surprised? It has entered the public record that they developed tech to pretend to be foreigners like the PRC when conducting their cybercrime activities.
They are hurting for talent. Each instance of high-profile bad press makes it harder for them to replace their aging workforce and makes companies more reluctant to give them any data or research assistance. Beyond that, they've had a huge brain drain in recent years with their talent being hired away by the private sector. Which also means you should be wary about who gets hired at Amazon/Google/Microsoft/Apple/Hurricane Electric. Last I heard a supervisor from the NSA who was in charge of some team dedicated to breaking cryptography in the early 2000's had since been hired by Amazon to lead cryptographic implementation at AWS.
Could be fine. Could be beneficial for Amazon's cryptographic security. But I know I'd be worried on what her reaction would be if the NSA came to her privately and asked for her to make a change at AWS that makes it easier for the NSA to exploit.
As for them lying....you have to look at incentives. Spies lie for a reason. They twist words, they lie by omission, they attack peoples' character, they claim their push for changes in the name of public safety is more important than freedoms.
They don't lie just for the sake of lying. Lying is not its own reward.
NSA has both red and blue teams. Work from blue teams helps the public even if they are only known for their red team. Iirc we saw the blue team with S-Boxes in DES, but I may be misremembering things.
You are correct. Hardening the S-Box was the blue team (to protect against differential cryptanalysis). Weakening the key length from 64 to 56 bits by making the MSB of each key byte a checksum, that was the red team.
> NSA worked closely with IBM to strengthen the algorithm against all except brute-force attacks and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the length of the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key.[13][14]
From wikipedia. Major compromise tbh :unamused:
[13] Thomas R. Johnson (2009-12-18). "American Cryptology during the Cold War, 1945-1989.Book III: Retrenchment and Reform, 1972-1980, page 232" (PDF). National Security Agency. Archived (PDF) from the original on 2015-04-25. Retrieved 2015-07-16 – via National Security Archive FOIA request. This version is differently redacted than the version on the NSA website.
[14] Thomas R. Johnson (2009-12-18). "American Cryptology during the Cold War, 1945-1989.Book III: Retrenchment and Reform, 1972-1980, page 232" (PDF). National Security Agency. Archived (PDF) from the original on 2015-04-25. Retrieved 2015-07-16 – via National Security Archive FOIA request. This version is differently redacted than the version on the NSA website.
Their defensive side has, for many years, been very publicly and vocally sidelined in favor of offense. Defense being given the limelight is relatively new.
yeah post Snowden there are quite bit of big mistrust in NSA type of gov agency. However, what people ought to focus a bit more on are the tel-co companies (AT&T type of companies). They get all your data, call and location via cellular towel triangulation even with internet turned off. As long as you are using a mobile phone they have a lot personal data about you. and they are NOT subject to public scrutiny as NSA type of gov agency. As bad as government agency they are such as NSA, they are still (or need to make an appearance of) being scrutinized by the public. Yeah and as some said there are red/blue teams in the public agency as well, some are still good public servants.
> The Threat Hunter Team at Symantec, a division of Broadcom (NASDAQ: AVGO), has uncovered a new espionage campaign carried out by the Palmerworm group (aka BlackTech) involving a brand new suite of custom malware, targeting organizations in Japan, Taiwan, the U.S., and China.
The link at the bottom of the article has a pretty good explanation of how it works and how to mitigate it. What part of it exactly do you need evidence for?
Depending on how we model a system, we don't necessarily need direct evidence in order for indirect events to influence our beliefs (see: abductive reasoning).